As you may have heard, hundreds of private, nude and nearly-nude celebrity photos — of Jennifer Lawrence and Kate Upton, among others — were leaked onto the internet on August 31. Despite a truly impressive number of stories that try to forward unproven theories about various potential attack vectors as truth, there is still no clear evidence of how the private photos were obtained. It’s conceivable that the photos were obtained via a “smash and grab” zero-day vulnerability in iCloud, but it’s also possible (and more likely) that another far easier method was used, such as spear phishing, to gather the photos over a long period of time. Apple says it’s investigating whether iCloud was hacked or not, and presumably it will have more data soon. In the mean time, let’s discuss how the celebrity nudes might’ve been obtained — and, more importantly, how to prevent such a debacle from happening again in the future.
Updated: Just after we published this story, Apple issued a statement confirming that an iCloud hack was not the source of the leaked photos. Apple did confirm, however, that some celebrities had their accounts accessed through an attack on “user names, passwords, and security questions.” To prevent such attacks in the future, read our tips for staying safe at the end of the story — and please, if you do just one thing today, enable two-factor authentication on your email and cloud storage accounts.
How did the hackers/criminals get their hands on so many nude photos?
The most notable thing about this whole situation is the scale of the leak. It’s not unusual for nude photos of one or two celebrities to emerge — usually from a hacked email account or stolen phone – but the fact that 101 celebrities got “hacked” (remember, it’s it’s not a confirmed hacking yet) all at once is rather spectacular.
The scale of the leak would seem to suggest that there’s some common element that ties the celebrities together, which allowed hackers to quickly access multiple accounts at one time. One possibility is that all of the celebrities used iCloud to back up their photos, and a hacker (or group of hackers) found a zero-day vulnerability in iCloud that allowed them to gain access to the photos. It’s worth noting that a zero-day vulnerability in the Find My iPhone feature was discovered and patched recently, too. This vulnerability, in theory, could’ve allowed for a brute-force dictionary attack on the passwords of these celebrities. Such an attack is incredibly unlikely, however: The range of capture devices (from iPhone to Android to webcam), first-hand reports from the affected celebrities, and a very broad timeline (some of the photos are years old, long before iCloud existed) make it much more likely that a more mundane method was used.
Spear phishing
In all likelihood, the cache of private celebrity photos is probably just the result of years of hard graft. Maybe some of them come from a zero-day vulnerability in iCloud — but I bet most of them are obtained from more conventional methods, such as breaking into an email or cloud storage account (guessing a password or using the Forgotten Password feature), or spear phishing (getting the target to install a backdoor on their computer via a cleverly constructed phishing email).
Because of the anonymous nature of this leak, and a lot of conflicting reports on how the photos were obtained (it seems everyone wants their five minutes of fame), it’s very hard to say definitively how the nude photos were obtained. It is probably the labor of love of someone (or a circle of people) who hoped to sell the photos to a website like TMZ, or something along those lines.
How do we stop celebrity nudes from leaking in the future?
Once we work out how the 101 celebrities had their private photos leaked, the next question is: How do we prevent it from happening again in the future? Moreover, how do we prevent hackers/leakers from obtaining the millions of nude photos and sexts that normal, non-celebrity people also send on a daily basis?
If you want to make sure that nude photos of you never surface, then the only real solution is to not take any in the first place — and to make sure that anyone who does see you naked isn’t carrying some kind of portable imaging device.
As that isn’t really possible — people have been sending risque photos to each other for as long as the medium of photography has existed — here are some more realistic tips for keeping your private photos private:
- Use a strong password on your email account. Make sure your security questions are hard to guess. Use two-factor authentication where it’s available.
- Don’t open email attachments, or follow any links contained in an email message, unless you know exactly what they are.
- If you must take nude photos of yourself, keep your face (and any other identifiable markings) out of the photo.
- Make sure you understand how cloud backup services actually work. If you use iCloud, Dropbox, Android, or one of the many other cloud backup/sync tools, take some time to read about how they work. Go into the settings and poke around a bit. If in doubt, just turn the photo-sync feature off (Here’s some instructions for disabling iCloud).
- Read our guide on how to stay safe online. Safe surfing is something that everyone should practice, even if you’re not worried about your nude photos being leaked.
Really, though, the main takeaway from this story is that nothing is sacred or safe — and doubly so if you’re a celebrity or other person of interest. Even if you take all of the precautions above, a clever hacker or phisher can probably still gain access to your device or account — it’s just a matter of how much time and effort they’re willing to put into it.
Ultimately, that’s probably what happened here: There was someone, or a group of people — an underground celeb nudes trading ring, perhaps — who really, really wanted to get their hands on some private photos. Irrespective of whether the photos were obtained via an iCloud vulnerability or some other means, I guarantee that a lot of effort went into it. There are some things that celebrities (and you) can do to minimize the chance of private photos being leaked, but short of never taking any photos in the first place, and other similarly unfeasible solutions, there isn’t really a whole lot that can be done. Such is the way of the internet and the concerted cybercriminal.