Massive celebrity nude photo theft and how you can protect yourself

Last night a massive amount of nude celebrity photos were posted onto the internet. To be clear, these weren't "leaks". These were crimes. They were thefts and illegal distributions and worse — violations of privacy and dignity. Dispassionately, it should absolutely be treated like credit card or banking or any other information being stolen. Passionately, we only need to imagine they were photos of us or our loved ones to put it in the proper human context. So, what happened, who can we trust, and how can we protect ourselves?

What happened?

People had their personal property stolen and their privacy violated. Breaking into someone's account or phone is no different than breaking into their car or house. Likewise, for anyone horrified at the allegations of government or corporate surveillance, for anyone outraged when apps or social networks misuse or misappropriate images, messages, or contacts, for anyone rallying to the cause of personal security and privacy, what could be more of an offense against security and privacy than this?

Clementine Ford, writing for Daily Life:

It's a crime, and we should be discussing it as such. Some media outlets are salaciously reporting it otherwise, as if the illegal violation of privacy involving intimate images is little more than subject for gossip. When associated with sex, the word 'scandal' has been typically interpreted as something that assigns responsibility to all parties involved, a consensual act unfortunately discovered and for which everyone owes an explanation or apology.

Decades ago paparazzi used zoom lenses to take photos of celebrities in various states of undress and sold them to tabloids who plastered them all over checkout lines. This is nothing new. However, the anonymity, ubiquity, and access afforded by the internet accelerates and amplifies it in a way that feels very new.

Ultimately, that we're dealing with celebrity, nudity, and Internet — three things society has an adolescent maturity level about — makes no difference. They're human beings. They had their stuff taken and put out on display. That's what matters.

How did it happen?

This part is harder to figure out. Many in the media ran with an early claim that Apple's iCloud was the source, and stuck "iCloud hack" in every headline and opening paragraph they could. In their race to be "FIRST!" few took any time to actually investigate. Maybe they'll be proven right, maybe wrong, but they didn't show their work and that's bad for everybody.

Various online information security experts, however, spent the night examining data, looking at patterns, and sharing insights Twitter, some convinced it was iCloud, some convinced it wasn't, opinions swinging back and forth as the night went on.

This morning it is no clearer.

Charles Arthur, writing for The Guardian:

The most headline-grabbing possibility for the source of the photos – a full-on frontal-assault ground-up hack of Apple's iCloud service – is also the least likely. Large companies like Apple have dedicated in-house security teams who attempt to break into their own systems regularly.

There are a lot of potential attack vectors including phishing and other forms of social engineering, non-unique passwords stolen from one site and used to gain access to others, or even someone in a physical or virtual location or profession that gives them privileged access to accounts or devices, ranging from technicians to social media managers.

In counterpoint, Adrian Kingsley-Hughes, writing for ZDNET:

Apple has patched an exploit with its Find My iPhone online service that [...] allowed hackers to flood the site with passwords [sic] attempts without being locked out. By employing bruteforcing techniques, hackers could use this to guess the password used to protect the account.

The email address would have to be known, two-step authentication couldn't be enabled, and shorter, simpler passwords would be faster to hack. None of those are impossible or even unlikely, and the timing has resulted in a second wave of headlines linking the two events with every synonym for "might" or "could" imaginable.

There is also the possibility we're dealing with multiple hacks through multiple vectors that occurred over an extended period of time, or multiple individuals and layers of hacks.

Forensic researcher Jonathan Zdzardski:

[Ali] Michaels' exif data is so different from [Kate] Upton's, I have to wonder if it was a completely separate hack or maybe separate leaker.

Should iCloud customers panic?

No, but like any customer of any online service or digital device, you should be concerned.

iCloud Photo Stream, if we allow it, keeps out last 1000 photos for 30 days backed up to all our devices. iCloud Camera Roll backup and the upcoming iCloud Photo Library will keep all photos and videos backed up online up to the limits of available storage.

Dropbox, Google+, Microsoft OneDrive and other cloud-services, likewise if we allow it, will auto-upload and keep all our photos and videos onto all of their servers up to the limits of available storage.

Bugs will always be found in code. Humans can always be tricked.

Unfortunately, just like home owners should be concerned enough to lock their doors, customers of online services should be concerned enough to lock down their accounts as best as they can.

What can I do to protect myself?

Most people aren't high-value targets for these kinds of attack. However, if you're at all concerned about your security and privacy and the security and privacy of your accounts and devices, here's an article I wrote a couple of months ago that details how you can make your iPhone or iPad as secure as technically and humanly possible.

If you haven't already, please take a few moments to read it and share it.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

28 Comments
  • Google owns my life with that in mind I change my password every 3 months and of course have 2step enabled. While i'ts not bullet proof I feel its at the same level risk I run of having someone break into my house. However if it is officially determined that a icloud security breach was the source of this awfull crime it certainly brings new questions to the table
  • If this was a security breach of the iCloud service it's not a good look. Especially given the timing of it. Come Sept 9, I'm sure Apple is expecting to talk about security deeply..
  • And this is why users want more on board storage and not have to rely on a cloud. It is a shame this happened, and hopefully apple can get it all patched before the sept 9th event.
  • We're not even positive if it was a I cloud leak. We probably know more tomorrow after the labor day holiday
  • I agree with you on the storage. I don't know of any of Apple's competitors that charge $650 for 16GB of non expandable storage. I think it's past time that Apple moved to a 32GB, 64GB, 128GB storage tier wih the same pricing tier as before $650, $750, $850. Saying any different is no benefit to us the consumers, just beneficial to Apple. Edit: aww I see my above post was down ranked by some Apple zealots. Never mind that I use Apple products almost exclusively. Oh well, I must go cry a river somewhere.
  • Agree. With tiered data, 16gb doesn't cut it. 32gb isn't that expensive, especially with the deals apple can work as to necessitate the $100 increase.
  • 99c/mo = 20GB
    3.99/mo = 200GB Those are the iOS8 Photos pricing. While the prices are VERY appealing, it's going to be hard to present the idea of "cloud storage is better than onboard" now. I'm still going to buy a bucket of iCloud photo storage but I really would prefer to simply have a 128GB iPhone to keep it on.
  • Typical comments from the variety.com article on the subject:
    "i have never heard of Mary E. Winstead OR Victoria Justice, so their publicists must be happy at least. it’s probably the last time I will ever hear of them too." "Are you joking? They probably set the whole stunt up. Of course they’re happy" Frankly I very much doubt it in this case, by maybe I am naive: in fact practically all of the the last decade's spate of "stolen" sex tapes were leaked by their participants/participants publicists. You should always keep that possibility in mind when writing that " 'leaks' are crimes". Again, unlikely in this case due to the range of people involved. But look at it another way: "Nude photos of Mary E. Winstead" -- nobody clicks. "Nude photos of Jennifer Lawrence and Mary E. Winstead" -- many people click.
  • "Massive nude celebrity photo theft" is such an awesome way to title this article. Let's encourage more views of these photos. Maybe we should just talk security without providing more light to the availability of these photos. I understand you didn't direct anyone but the title definitely garners interest and net savvy folks are aware these photos are just a few clicks away.
  • This tweet from Zdziarski pretty much sums up iCloud security: https://twitter.com/JZdziarski/status/506460324112125952 That said, it's doubtful all these photos came from iCloud.
  • Just my to cents
    Apple need / must to add following steps:
    - Two Factor Authentication to all iCloud services.
    - Create individual password per devise for iCloud access and sync.
    - or List of the approved devise and option to approved or removed of fly.
    - Option to trust computer each time phone is connected to the PC. Like it was done on Blackberry longtime ago. Please remember that strong password is good option and fingerprint scanner also is a good option when you on any Apple ios devise, but you still need to enter same password to access iCloud from Mac or PC it's just not that safe anymore.
    From my underspending user must have option to add separate password or additional pin get access to iCloud services Mail, Contacts, Notes, fined my iPhone, Remainders, etc. Sent from the iMore App
  • "Apple need / must to add following steps:
    - Two Factor Authentication to all iCloud services." Already done. "- Create individual password per devise for iCloud access and sync."
    - or List of the approved devise and option to approved or removed of fly." Don't be stupid. Touch ID avoids of all of that.
    And it wouldn't be hard to add Touch ID to Mac.
    Oh, there's also File Vault for OS X. "- Option to trust computer each time phone is connected to the PC. Like it was done on Blackberry longtime ago." Already done. Somebody needs to pay more attention.
  • 1: Two Factor Authentication still not available for icloud.com
    2: stupid is the one who don't need additional security! Sent from the iMore App
  • - Option to trust computer each time phone is connected to the PC. Like it was done on Blackberry longtime ago.
    Ones you trust any of the computer this computer is trusted for good! Before posting like that learn subject first!
    FYI
    Touch ID is just shortcut to you password, and confirmation If your ID is true, Touch ID cannot be used without password! Sent from the iMore App
  • Whether or not they were used in this instance, it is disappointing that iCloud had been vulnerable to such simple brute force attacks as described in Adrian Kingsley-Hughes's article. That is security 101.
  • You mean others are not vulnerable to this trick.
  • Internet 101 - Don't assume anything on the Internet intended to be private will stay that way. Internet 101-b (2014 addendum) - Since much of what our computers and mobile devices now do is cloud-based, it's on the Internet (c.f. Internet 101). While I agree with Rene that it's theft and illegal and all of that... the practical upshot is that maybe it's not a great idea to take photos of your 'naughty bits' with your phone. Like Rene's example, although I understand it would be illegal for a thief to break into my home, I do lock the door... and if I have something really really important, I lock it in a safe or take other measures to protect it. Same for my data. If I have data that shouldn't get compromised, it gets encrypted, and if it's really critical, it doesn't go into the cloud. And, if I were going to take photos of my 'naughty bits' I'd do so with a non-Internet connected camera and lock the memory card in a safe after use. Hmm, maybe I should create a 'How to safely use and store 'naughty bit' photos' course for the Stars, starting starting at only $1995. Hurry, price goes up in two weeks. :)
  • This is what we get for killing off the Polaroid camera I suppose.
  • I'm waiting to see. Of course 'tabloid' tech sites will run with iCloud leak. When the dust settles probably not icloud.
  • By then, whether or not iCloud was the source, the damage to Apple's already less-than-sterling reputation regarding cloud services will be done.
  • I can't stand all the tabloids. Would be funny if it's not iCloud then they would all fall on their face. But of course this is awesome for them. Nude celebrities and apple in the same sentence is what they've been dreaming of.
  • I do not know who made this statement, but it does fit. "Whatever Man Makes, Man Can Get Into." Be it brick, or electronic, man can break into it. Sad fact, but so true. All you can do is make it harder. Sent from the iMore App
  • Hugely bad PR. I don't use icloud to save photos (granted i've never taken a naked pick ether so not a big deal). But horribly bad PR for Apple and if it's their fault they need to fix their service. Even so there's nothing that can be done to fix the mortified people who have now had their privacy and specifically private sexual activities plaster embarrassingly all over the internet.
  • There is always something we can do. May be we should avoid making any reference to Apple's security issues on the forum. That is a form of protection I guess. Oh it happened.
  • This is one reason why I don't think cloud computing will be as big as some say. Imagine this being a company who stores all of it's customers information in the cloud, and gets hacked or intercepted. This would ruin a company, be it apple, Microsoft, drop box ect, someone will eventually get in. That being said I think this wasn't a hack of icloud but poor passwords by these celebrities. People think they can outsmart someone by being witty with passwords, which may be true... But you can't out wit a computer that generates 1,000's of passwords an hour. Sent from the iMore App
  • "Decades ago paparazzi used zoom lenses to take photos of celebrities in various states of undress and sold them to tabloids who plastered them all over checkout lines. This is nothing new. However, the anonymity, ubiquity, and access afforded by the internet accelerates and amplifies it in a way that feels very new. Ultimately, that we're dealing with celebrity, nudity, and Internet — three things society has an adolescent maturity level about — makes no difference. They're human beings. They had their stuff taken and put out on display. That's what matters." So what are trying to say with that? Technology has aided the paparazzi for quite a while now and it's legal just as you wrote. Advances in technology and a small bit of knowledge about the services and behind-the-scenes software that makes it work i.e. server admin... is all you need many times to "walk right in and look". I just don't know how many times I've been on a website of a clients and for the heck of it, removed everything before the last slash, and got a directory listing everything within that server folder. Is that breaking and entering or even hacking? I don't think so. The responsible among us tell the client or web admin to shape up and drop an htaccess file in there pronto. Now the less moral among us on the internet may just look, or worse take and distribute for whatever jollies the data affords them. You can't put a lid on advancing technology, any more than you can contain the stupidity of people that don't take the time to learn a little bit about technology and security before trusting their private data to new gadgets and tech. I personally abhor and despise stalking of all kinds and especially that of celebrities. If internet technology is going to be attacked, than I also think it's fair to include laws against all unauthorized/unwanted voyeurism (paparazzi) and specifically the publishing, licensing, and profiting from it.
  • The very reason I back up all my own data.
    I keep nothing on ANY CLOUD bases services.
    I don't want to knock anyone, but in this case I will.
    Anyone stupid enough to not MANAGE their OWN LIFE gets what is coming to them.
    I love Apple their products and technology but that is where it stops.
    I don't give them my personal data . PERIOD! As for the ACTRESSES that are bitching, crying and moaning, FUCK THEM, and FUCK THEM for blaming ICLOUD. THEY'RE STUPID BROADS AND THEY LOVE THE ATTENTION. if they were so concerned ABOUT THEIR private PUSSY SHOTS, perhaps they should have been more concerned about the SQUEAKY clean appearance, and perhaps NOT TAKEN THE PHOTOS IN THE FIRST PLACE.
  • They can hardly be blamed for their ignorance, it is not like the services they were using are advertised by Apple as being insecure.