

Over 40 celebrities have iCloud accounts compromised and nude photos stolen - jdoliner

This might well wind up being the highest profile security breach we&#x27;ve ever seen in terms of national media coverage. The story is still developing but I&#x27;m interest to hear HN&#x27;s thoughts on it as it does. How is Apple going to respond? Will this hurt their image and how?<p>Here&#x27;s a few links to get you caught up:
http:&#x2F;&#x2F;www.bgr.in&#x2F;news&#x2F;jennifer-lawrence-nude-photos-leaked-after-alleged-apple-icloud-hack&#x2F;<p>http:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2014&#x2F;08&#x2F;31&#x2F;jlaw_upton_caught_in_celeb_nude_pics_hack&#x2F;
======
CBanga
I know a lot of people (@SwiftOnSecurity) are leading charge that this is an
iCloud breach, but I'm thinking maybe not for a few reasons.

\- A couple of photos seem to be taken with Android phones/web cams. I know
this doesn't mean much, but makes it less likely to be a Photostream breach,
as for that to happen, we'd likely only see photos taken with iPhone or iPad.
This makes it much more likely to be from someone's personal backup. Could be
iCloud, but not likely to be a Photostream exploit.

\- Some videos in leak, and as far as I know, though I could be wrong,
Photostream doesn't back up videos, only photos. So again likely a backup.

\- Specifically with what look to be webcam examples, I don't want to downplay
these celebrities tech knowledge, but to send webcam photos, I would guess
email or something was used, not iMessage, etc. Again, likely to probably be
from a backup.

My thoughts are that someone who has been overly friendly with a lot of female
celebrities either had a really bad Apple ID password, so it was compromised
on a device, where photos from a Photos.app backup were grabbed from. That, or
some sort of stolen phone/laptop for the same person. I'm skeptical, but
doesnt look like a wide spread Apple iCloud exploit yet.

~~~
BorisMelnik
"A couple of photos seem to be taken with Android phones/web cams. I know this
doesn't mean much,"

I know this may seem a tad obvious, but a lot of people have photos that have
been sent from other devices (via email/text) in their iCloud so I wouldn't
base any conclusions off of that.

------
mschaecher
I have a feeling this story is far, far from being over.

And I'm very curious as to how the fuck this happens.

I haven't seen many theories in general, let alone theories with much evidence
behind them about how this could have happened. Other than iCloud! No dropbox!
No NSA!

So while I wait for more technical minds to weigh in, I figured I'd take a
stab at an alternate theory for people to ponder (or hopefully more likely
tear apart!)

tl;dr

Gaining covert access locally via a potential buffet of attack vectors. Feels
like this article, but voyeur not espionage (or necessarily China/state-based
obviously) [http://www.nytimes.com/2012/02/11/technology/electronic-
secu...](http://www.nytimes.com/2012/02/11/technology/electronic-security-a-
worry-in-an-age-of-digital-espionage.html)

Theory:

\- Original hacker is one w/ privileged network access, &/or proximity to
sniff, &/or compromise device(s) physically at a place frequented by celebs
over a long period of time(years).

\- Hotels, spas, coffee houses, studio lots, awards, etc etc.

\- Potential for many attack vectors to match any given skill set. From MITM,
to malware, to phishing, to gathering PII for social eng to compromised
charging stations.

\- And gives a window of time to allow for fast data transfer pillaging via
LAN.

\- Also gives a window where on same network, at same time and place pry helps
to avoid tripping some suspicious access detection alarms.

\- OG hacker is prob up to lots of nefarious stuff and someone else popped
their personal stash.

\-- What lead me there and away from a single platform exploit, a la iCloud?

I tried making sense of what was known and a few assumptions.

\- If it was a platform exploit, finding even 20 of these girls' actual login
emails from which to locate their accounts on a service is a massive
undertaking – unless you have some kind of privileged position to harvest them
(hotel desk, gyms, award ceremonies, etc etc) \-- I feel like the probability
of all these girls having passed through same places – like hotels, spas,
sundance, soho house, awards, festivals, etc etc – over the course of 2-3
years is way higher than someone managing to figure out 100 correct login
emails for them.

\- The attacks appeared to have happened over a long period of time. At least
late 2011 to within the last month judging from exif data. So they avoided
tons of software and hardware updates for bugs and security patches.

\- I assume these celebs have TONS of photos on any of their devices at any
given time. Being photographed and taking photographs are part of their lives.
So we're talking thousands or tens of thousands. Which takes a lot of time to
copy. And like all of us, their photos are unorganized which means it takes a
lot of time to find the gems. The longer it takes the attacker to get access
and pillage, the more they are exposed. They needed to get in quick and
consistently, and get out very fast.

\- Given the volume and (alleged) success rate of 100+ celebs, manual social
engineering or brute is out.

~~~
jnorthrop
I think the answer is more simple than that. We had the news 3-4 weeks ago of
a Russian group propagating a file with over 1 billion user accounts[1]. I bet
someone went through that list, found the celebrities and used that
information to access their iCloud accounts.

[1] [http://www.politico.com/story/2014/08/russian-hacking-
gang-u...](http://www.politico.com/story/2014/08/russian-hacking-gang-
usernames-passwords-109741.html)

------
atmosx
What gives me the creeps is this:

"Knowing those photos were deleted long ago, I can only imagine the creepy
effort that went into this. Feeling for everyone who got hacked.

— Mary E. Winstead (@M_E_Winstead) August 31, 2014"

Why where the pics available if they were deleted? On the technical side I
mean, are iCloud/Flickr/Google/FB supposed to keep an archive with all the
pictures users delete?! Isn't that a severe accusation about iCloud services?!
(if true of course).

~~~
lutusp
> Why where the pics available if they were deleted?

Easily explained. When you delete a photo from an online site, it's often the
case that the photo is moved from its original folder to the "deleted" folder
and stored there. This is how Google Drive works (using a folder named
"trash"). Then, if you're especially diligent, you can delete the contents of
the "deleted" folder, in which case, and finally, the content is deleted.

> Isn't that a severe accusation about iCloud services?!

Consider the alternative: "I unintentionally deleted my magnum opus. Where did
you put it? On a desktop machine, there's a trash bin -- where's yours?"

You need to realize that, no matter what strategy you choose, someone will
find a reason to complain about it, and their own ignorance will never be the
problem.

~~~
atmosx
I see what you mean, you got a point there.

ps. Thanks for the Google Drive hint, didn't knew that since I moved away from
dropbox recently to GD.

~~~
lutusp
> ... since I moved away from dropbox ...

Me too. As soon as I saw a Dropbox message that I had exceeded their puny
storage limit and needed to start sending them money, I dumped them.

~~~
junto
Because online storage should be free? Companies can't survive without
charging you, or turning you into an advertising commodity.

If you're not paying then "you're the product, not the customer".

Personally I would prefer to be a customer.

~~~
lutusp
> Because online storage should be free?

No, because other services offer more for less.

> Companies can't survive without charging you, or turning you into an
> advertising commodity.

Yes, but when one shops, one chooses the best of competing alternatives. You
know, like in capitalism?

> If you're not paying then "you're the product, not the customer".

Nice reductionist sentiment. Just be sure your sexual partner doesn't hear you
saying this.

There's a little more to life than you seem to think.

~~~
junto
Fair enough. I read your original post as if you were completely against
companies charging for a service and that all such services should be free.

------
anothertool
I feel like the finger is being pointed in the wrong direction here. Were the
images intentionally shared? No. Was it theft? Yes. However... you are a
celebrity with no expectation of privacy, and privy to public attention and
scrutiny. So is it illegal? Hell yes. Is it shocking? Not at all. Personally I
feel like the blame should be placed on iCloud, and Android for making the
default setting "save to the cloud". You want a solution, open a class action
law suit against them both. I would be willing to bet that Microsoft is doing
it too! Who really failed here, the end user, or the technology?

------
kretor
The following seems to explain it - a guide on how to break into someone's
AppleID.

From a site affiliated with AnonIB, where celebrity nudes first surfaced:

[https://web.archive.org/web/20140904115530/http://ibstol.wor...](https://web.archive.org/web/20140904115530/http://ibstol.wordpress.com/step-3-security-
questions/) (NSFW)

------
camillomiller
Doesn't look like an iCloud hack to me too. More like a sloppy security
setting on the part of the actresses, like too simple security questions or
passwords too easy.

Have they any ties in terms of celebrity management? The leak of some
credentials (personal emails) could have been obtained from some agency's
unsecured server.

The possibility of an iCloud leak is very low at this moment.

------
ffreitasalves
If I had to manage this kind of crisis, I would put all this celebrities
together and tell that it was all part of a campaign against nude photos
sharing and possibly deny the most dirty pics that leaked and never admit this
happened.

------
kphild
For up to date coverage, check out the subreddit dedicated to this event:
[http://www.reddit.com/r/Fappening/](http://www.reddit.com/r/Fappening/)

------
garysvpa1
why do they take nude photos of themselves? I dont get it.

