Apple’s iCloud allegedly breached in celebrity photo theft

During what is a long holiday weekend in the United States, an anonymous hacker claims to have successfully hacked Apple iCloud and its Photo Stream feature of nearly 100 celebrity accounts and place several photos on 4chan.

Celebrity photos are nothing new, and risqué photos of attractive female actresses is also not new, but was probably a large part of what made this a big story. What added to the headlines was the possibility that iCloud was breached.

As of the time of this writing, it is not known if iCloud was actually circumvented, but it probably played a role somehow. We looked through a Pastebin page with several thousand lines of EXIF data.  It does not conclusively point to one direction or the other because EXIF data is not necessarily indicative of anything. That said, a lot of binary information there appears to trend consistently.

Some security folks started picking at what data they had on hand about the pictures, and everything is a theory at the moment. On one hand, a particular tweet from Mary Winstead, star of Scott Pilgrim vs. The World points strongly to the idea that at least some photos resided on a server, not a device. She stated that the pictures of her were removed from her device “long ago.” With Photo Stream, the pictures remain on iCloud and on device back-ups even after they are deleted off the device.

On the other hand, it seems unlikely (albeit not inconceivable) that unauthorized access could get into Apple’s iCloud and pick through over 100 accounts. A few of the celebrities have confirmed (or denied then later confirmed) the authenticity of the pictures. A spokesman for Jennifer Lawrence, of Hunger Games fame, said they contacted the authorities and would prosecute anyone who posts the stolen images. Other celebrities affected by this wave of pictures include Vanessa Hudgens, Rihana, Kate Upton, and Hillary Duff

This could be a case of “social engineering” too, where someone grabs publicly available data about an individual and deducts password or security question insights through a bit of trial and error. Given the number of people involved however, that strikes us as unlikely. Finding the accounts not adequately protected is far more feasible (a lot of people use terrible passwords). Another plausible theory is that someone’s private “prized” collection of photos, kept on a single machine, was compromised.

As we watch the story unfold, there is the simple issue of what many are phrasing as an invasion of privacy. That is true, but the difference here is that “celebrity” exposure is treated differently than if these were pictures of one’s next door neighbor. Back in 2012, a man was sentenced to 10 years in prison for posting nude photos hacked from Scarlett Johansson's phone.

This will certainly be an evolving story as people try to establish a digital crumb trail and see where these images were found. Since Monday is the Labor Day holiday in the United States, it is possible we may not see any official statements from Apple until Tuesday at the earliest.

In the meantime, be good stewards of your digital self. Use strong passwords, secondary authentication, and simply do not put anything on the internet that you would be uncomfortable with the whole world knowing tomorrow.

sources: The Telegraph, Jonathan Zdziarski, @SwiftOnSecurity, Pastebin data