Phishing or email account hack leads to Nude Celebrity pictures

Nude photos of Jennifer Lawrence (seen here at the Oscars) have been leaked online. But how did the hacker get access? Photograph: Angela Weiss/FilmMagic

Nude photos of Jennifer Lawrence (seen here at the Oscars) have been leaked online. But how did the hacker get access? Photograph: Angela Weiss/FilmMagic

The leak of Nude Celebrity pictures and, allegedly, videos of Jennifer Lawrence by an unknown hacker has security experts – including Apple – interested and puzzled. Although the hacker has posted a list of scores of female celebrities to a chatroom claiming to have more pictures of them, a number of the Celebrity’s have claimed that the photos of them are faked, while others claim they were deleted.

The list of those allegedly affected is long, and includes Jennifer Lawrence, Jenny McCarthy, Rihanna, Kate Upton and the American actress Mary E Winstead. With any hack, the principal questions are: what was the avenue of attack? And where were the photos and videos – if they were real – downloaded from?

It is unlikely according to Apple that their email system has been hacked. Large companies like Apple and Microsoft have dedicated in-house security teams who attempt to break into their own systems regularly.

Rik Ferguson, vice-president of security research at Trend Micro, said; “A wide scale ‘hack’ of Apple’s iCloud is unlikely. Even the original poster is not claiming that,”

As with the many celebrity hacks (and daily hacks that affect less famous people), the simpler and more likely explanation is the leak of an email and password combination, either through guesswork or “phishing”, when users are fooled by authentic-looking sites into entering their login details, which are then used against them.

Apple have said they are still investigating what is claimed to be an attack on its iCloud service but it is unlikely that their whole system has been compromised. The iCloud service is used by millions of iPhone users to store settings and back up all photos (and other data) taken with the phone to Apple’s “cloud” based servers.

Once you have an iCloud user’s email address and password, you can log in to their account and download those photos (including old / deleted ones) and other info.

An extra layer of security that will send a code to the owner’s phone before it allows login would be an example of two factor authentication (2FA) which will greatly increase the security of their iCloud account. Paypal as an example have this exact security measure in place. However’ comparatively few people use 2FA either because they don’t know it is available or it is too much trouble.

Apple has no comment currently on the incident but is still investigating whether the data was all taken from its iCloud service and, if so, to what extent users’ accounts were compromised.

Ferguson suggests that the hacker may have used the “forgot password” link on Apple’s iCloud system after managing to get hold of the various celebrities’ email addresses either directly or by hacking someone else’s device or email system. If anyone used the same password on multiple services, then once the hacking discovered the password on a different site then they could try the same password on the iCloud website.

Lawrence’s publicist did admit the photos are real but did not say how old they are. In a tweet, Winstead suggested a long standing effort by the hacker. “Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this,” she wrote.

However security experts have pointed out that while a smartphone user thinks they have deleted the photos from their phone – they are still possible to recover from the phone’s memory. Someone may have got hold of her old phone and managed to retrieve the photos. That said, it is unlikely they happened upon a bunch of old Celebrity’s phones.

Modern smartphones routinely save photos to the cloud because they often lack enough capacity for the huge number of photos that people take. Apple’s iPhone by default saves photos to iCloud; Google’s Android to its Google+ service and Microsoft’s Windows Phone to its OneDrive service.

Third-party services such as Dropbox also offer automated photo and data backups. “People take photos and zap them, but don’t realise that they are being uploaded and saved forever,” Cluley told the Guardian. Ferguson agrees: “Deleted doesn’t always mean deleted,” he notes.

The hacker posted a screenshot claiming to be of so-far unreleased videos and images taken on a Windows PC after he had no doubt downloaded them from one of the cloud based services above.

“Two-factor authentication” protects against such hacks because it requires anyone setting up a copy of an existing account on a new device to enter a code that is sent to the primary device – usually a phone. Without that, access is blocked. Apple, Google, Microsoft and Yahoo all offer two-factor authentication on accounts but as mentioned above, this service is not always taken advantage of for different reasons.

Other Celebrity’s have claimed that their naked pictures are infact fake. A representative for Ariana Grande said the photos said to be of her are “completely fake”. Victoria Justice also tweeted that the “so called nudes of me are FAKE people. Let me nip this in the bud right now *pun intended*”

With so many people dealing with Celebrity’s it is possible that someone got hold of their user details, perhaps to manage their social media campaign and then tried these details on other sites. However, it does appear that this has been done by a professional hacking covering their tracks rather than a simple opportunist.

Another possibility is an IT expert who helped the Celebrity setup a new computer system and then given themselves remote access to this system to grab and steal their data.

This has happened in the case of the “Hollywood hacker” Christopher Chaney, who spread photos from Scarlettt Johansson and Mila Kunis’s email accounts back in 2011, and was sentenced to 10 years in jail in December 2012 and ordered to pay more than $66,000 in restitution.

Chaney was accused of illegally accessing the email accounts of more than 50 people in the entertainment industry between November 2010 and October 2011; in one instance he sent an email from the account of Aguilera’s stylist to the star, asking for scantily clad photos, and then posted them online.

Chaney did eventually apologise, saying that his actions were “probably one of the worst invasions of privacy someone could experience”. It was also claimed he had stalked two people online for more than ten years. A tad creepy.

In the Chaney case, the celebrity’s had their email accounts hacked, and all their emails were being forward despite the password being changed.

So the moral or the story is, if you are a celebrity or not, use two factor authentication where possible. If you need any help or advise, feel free to get in touch.

Colins IT