Hackers probably got naked photos of stars by exploiting password weakness

Naked photos of celebrities probably stolen due to slack security or hackers getting their email addresses and using 'forgot password' link

PUBLISHED : Tuesday, 02 September, 2014, 10:05pm
UPDATED : Wednesday, 03 September, 2014, 12:13pm

Apple and the FBI have pledged to investigate the alleged security breach of the tech giant's cloud data storage service, which is believed to have led to the leaking of nude photos of dozens of celebrities this week, including Oscar winner Jennifer Lawrence.

But experts say that the case is less likely to be a case of a full-blown hacking of the popular iCloud service, than the leak or guessing of email and password combinations.

"We take user privacy very seriously and are actively investigating this report," said Apple spokeswoman Natalie Kerris.

The FBI has also joined the hunt, other US reports said. "The FBI is aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter," Laura Eimiller, spokeswoman for the FBI in Los Angeles, said.

"Any further comment would be inappropriate at this time," she added.

Watch: Apple, FBI investigate massive celebrity photo 'hack'

Some of the pictures had previously been circulated on message forums, and others appeared fake, but some major stars, including Lawrence, expressed outrage and threatened legal action.

While the precise nature of the breaches remained unclear, security experts said there were several ways that hackers might have been able to break into iCloud accounts, if that is what happened.

The most headline-grabbing possibility - a frontal-assault hack of Apple's cloud service - is also the least likely. Large companies like Apple have dedicated in-house security teams.

Instead, Rik Ferguson, vice-president of security research at Trend Micro, suggests the hacker may have used the "forgot password" link on iCloud after gathering the celebrities' email addresses - perhaps from another hacked device. Alternatively, the stars used the same password on multiple services.

In another scenario, the hacker might have found a still-unknown security vulnerability that allowed access to an iCloud account. On the day before the leak was made public, a way to force entry into an Apple account using an alleged vulnerability in the "Find My iPhone" application was posted to the popular code repository Github. The alleged security flaw reportedly has been patched.

A theory offered on Twitter by security expert Dan Kaminsky, chief scientist at is that someone who was collecting a cache of the celebrity nudes may been hacked by the person or people who spread the images online over the weekend. If the photos were collected by an individual from different sources over a long period of time, it could explain why some of the images appear to be genuine and others are allegedly fake.

Security experts point out that if cloud storage was indeed the source of the photos, an easy security measure might have saved celebrities a lot of embarrassment. Most cloud services, including Apple's, offer an extra safeguard known as "two-factor authentication", which requires users to verify their identities in a two-step process using different passwords.

Hollywood stars have faced an exceptionally difficult time maintaining digital privacy in recent years, especially as prices offered for illicit photos by gossip sites increase.

Hackers can face serious punishment. In 2012, a man who pleaded guilty to email hacks that resulted in leaks of nude photographs of the actress Scarlett Johansson was sentenced to 10 years in prison.

Christopher Chaney, an unemployed Florida resident, said he stumbled upon the photos of Johansson after hacking into celebrity accounts. He received the steep sentence after Johansson's emotional video testimony at his trial, in which she said she was "truly humiliated and embarrassed" by the leaked images.

The Washington Post, The Guardian, Agence France-Presse