Hundreds of nude pictures of female celebrities including Jennifer Lawrence, Cat Deeley and Kelly Brook were leaked after being stolen from their private collections. As the FBI investigates the hacking allegations, Gayle Ritchie finds out more.
The internet went crazy on Sunday with the release of dozens of celebrity nude photos. Over the weekend, numerous reports began popping up around the web that Apple’s iCloud service had been compromised, resulting in a leak of hundreds of intimate photos of female celebrities.
The photos, which included Hunger Games actress Jennifer Lawrence, former Downton Abbey actress Jessica Brown Findlay, Ariana Grande, Victoria Justice and Kate Upton, were posted on the image sharing forum 4chan.
Some 60 naked pictures of Miss Lawrence an Oscar-winning actress were reportedly stolen from her Apple iCloud account, which backs up content from devices like iPads and iPhones on to the internet. Ms Justice and Ms Grande have both said the pictures are fake, while Lawrence’s spokesperson verified their authenticity and said the photos were a “flagrant violation of privacy”.
Images of the celebrities were leaked on image posting website 4chan. The user posting them who defined him or herself as a “collector” rather than “hacker” said more images of different celebrities would soon be posted.
Copies of the images spread to other services, including Reddit, Imgur and Twitter, from which they were subsequently deleted by administrators.
Since the initial leak, a 4chan user has claimed that they alone have access to 400 more images of nude celebrities, and asked other users for help to “figure out precisely how much has been leaked” indicating that more than one user may be involved in the incident.
As Apple is investigating whether iCloud accounts have been hacked, the FBI is looking into the allegations that intimate pictures of celebrities have been stolen and posted online.
A spokesman told the Associated Press news agency that it was “aware of the allegations” and was “addressing the matter”.
While some of the celebrities said the images were fake, others have confirmed their authenticity.
Actress Mary Elizabeth Winstead posted on Twitter: “To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves. Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this.”
Winstead’s comments would suggest iCloud was not actively involved, as pictures on Apple’s service are only viewable online for 30 days.
But Spider-Man actress Kirsten Dunst, who is also reportedly a victim of the leak, tweeted: “ Thank you iCloud.”
A spokeswoman for Jennifer Lawrence, who is one of the biggest stars to be caught up in the scandal, said she had asked US authorities to prosecute whoever is posting the photos.
Experts have raised concerns over the security of “cloud” storage sites. “It would appear that the leaked photographs have been stolen from cloud-based back-up storage,” said Dr Natalie Coull, a lecturer in Ethical Hacking at Abertay University in Dundee
“Apple’s iCloud is an example of this, where the user’s phone automatically creates a back-up copy of all the photographs from the phone and uploads them to one of Apple’s remote data centres (basically just a huge computer).
“Each user’s photographs are protected by a password that the user creates themselves. This feature is really useful if you lose your phone, as it’s very easy for the user to get their photographs back by accessing their iCloud account with their password.”
Dr Coull reckons hackers have managed to gain access to the celebrities’ cloud storage by guessing their passwords, using what’s called a “brute-force password attack”.
“A brute-force password attack is when a hacker tries to gain access to an account by guessing every possible combination of password,” she said. “The shorter the password is, the quicker it will be guessed. It is most likely that the photographs have been stolen because the celebrities had “weak” passwords a password less than 15 characters long, with a poor mix of uppercase, lowercase letters, numbers and characters. We always recommend that passwords are longer than 15 characters as they cannot be cracked in our lifetime using the brute-force method.”
Anyone caught accessing someone else’s iCloud account in the UK would be breaching the Computer Misuse Act and could receive a prison term or large fine. Different counties have different legislation, and different laws will apply depending on where the breached data centres are located and where the hackers live.
“Obviously, trusting your personal photographs to the cloud is another issue entirely and users should weigh up the risks of using cloud storage against potentially losing their phone and associated data,” warned Natalie.