Assuming that it was a technical hack. As others have said, most of these things are far, far less technical than is often assumed. Most hacking is just social engineering: guessing usernames and passwords. And that is possible mostly because people use things that are too easy to guess.
We were talking about this on the way to work today.
To me, it doesn’t seem very hard to guess or workout a celebs apple ID…
But my big takeaway would be - anytime you don’t have physical control of your files you run exactly this risk.
Furthermore - while its “easy” to secure your files, delete files from iCloud, or simply not upload pix, it also needs a certain attention to detail and savvyness that not everyone has.
I just spent 4 hours over the last few days trying to download my wife’s contacts from iCloud after she accidently overwrote her phone - once I knew how it wasn’t hard, but working it out did take some time.
Thing is there is so much information floating around out there. Years ago I knew a woman who worked for an insurance company and they got to look into several celebrities personal which included medical claims. I sued to work for a credit card and we could look people up and find out all kinds of info like phone numbers, addresses, and social security numbers.
I might be able to see some of these people doing a Paris Hilton, but definitely not Jennifer Lawrence. She’s got nothing to gain. 4chan, incidentally, has identified someone now being accused of the hack. He’s not Jennifer Lawrence.
Yeah, there were probably multiple methods used to gain the pictures: Some brute-force attacks on the subjects of the pictures, some social engineering, some deliberate leaks by the subjects of the pictures, some deliberate leaks by the people the pictures were sent to, some brute-force attacks or social engineering targeted against the people the pictures were sent to, and so on. The important question isn’t “what method was used”, or even “what set of methods were used”, but “to what extent was each method used”.
I’d guess the opposite. In past cases the perpetrator hasn’t ended up being particularly sophisticated. I’d guess this will end up being similar, with one person relying on basically one trick he picked up on a web forum somewhere and tried with a bunch of different celeb accounts to find a few it worked on.
On one hand, this is a terrible invasion of privacy, and I don’t think these folks did anything that they could have reasonably expected was insecure.
On the other hand - well, that hand is busy.
I’ve read some things that there was a ring of people who would trade celebrity photos. The only way into the ring was to get some previously unknown photos. So you have a variety of people using different hacking methods to get different photos. It wasn’t one hacker getting all these photos. Many different hackers got the photos through many different means. Some hacked iCloud, some used an Android virus, some guessed email passwords, etc.
When some of the photos were released, the other collectors realized the game is up. They are dumping their collections to the public and scrubbing their hard drives to avoid being associated with it.
I was assuming that celebrities are in most ways regular people, and was therefore surprised that so many had naked pictures of themselves. Really, what percentage of regular people have naked pictures on their phones? I would guess that the vast vast majority don’t.
It is difficult for me to figure out what Jennifer Lawrence, who is perhaps the most illustrious and in-demand young actor on the planet, could possibly gain from this. Lawrence has her choice of jobs and commands whatever salary her whims might have her demand.
For that matter, many of the other celebrities targeted - the aforementioned Mary Elizabeth Winstead, Ariana Grande, Kaley Cuoco, Kirsten Dunst, Kate Upton etc. are all successful working entertainers. They may not be on the level of Jennifer Lawrence but they’re all rich and talented and have jobs lined up for as long as they want to fill their Outlook calendars. “The Big Bang Theory” alone means Kaley Cuoco’s going to be wiping her countertops down with hundred dollar bills for the rest of her life.
I would guess that you are vastly vastly underestimating how many people have naked pictures of themselves or their present and former lovers. And, once again, these were not pictures on their phones. These were pictures taken with their phones or other devices and stored in the cloud.
Well, the Pew numbers are about 10% for sending a nude or nearly nude photo and 20% for receiving. Numbers here. So that’s one data point. My guess is the numbers skew higher as you get younger. Now, it’s not exactly the same as what you’re asking and what happened here (assuming the cloud is to blame), but I would not be surprised to find nudies on a random friend’s phone myself.
You’re only saying this because Helen Mirren’s nude selfies haven’t gone public yet.
Apple confirms that accounts were compromised by passwords and security questions.
The consensus seems to be that this was a variety of attacks by multiple attackers over a long period of time. Mostly involving poor passwords and guessable security questions. The recent leak was actually a leak from a private trading ring, many of the attacks happened long ago.
The breach does not seem to involve the recently published brute force script.
It still doesn’t explain the question in the OP: how did they find the victims accounts in the first place? It’s likely that (if the details ever come to light) the answer will involve compromised email accounts and other online services as well.
This gives a pretty good answer to the question of how accounts were identified. The network of attackers includes…
Winstead and Dunst used to be very successful but haven’t done much recently, and Dunst is supposed to have an industrial scale drug habit to feed. There’s a rumour going around that the JLaw snaps are from a “casting couch” catalogue and that she owes her entire career to sleeping her way to the top. Probably not true, but not impossible, especially in the wake of Gamergate.
My understanding is the ring wasn’t just a ring. They clandestinely sold pictures for Bitcoin. Then a guy came up with a new strategy. He leaked a bunch of Jennifer Lawrence pics and said he had a lot more he would leak if people would give him more Bitcoin. He got a lot of money. So then everyone else tried to jump in to get money.
If it wasn’t for the money, it would have made more sense to just delete the images. But they want to get at least something out of the images first.
You may think they are trying to preserve the images, counting on the fact that something posted on the Internet can’t be deleted. But there are other ways to do that. There are plenty of places to put images where they won’t be found.
There are fakes in there, too, which fits the money motive even better. I’ve even heard there are some where it’s just a clothed celeb followed by a picture of boobs with the head cut off.
I didn’t say that the attacks were particularly sophisticated, just that there are a large number of unsophisticated methods that could have been used. In fact, it’s hard to get much less sophisticated than “get sent the pictures and decide to sell them”, or “ask the person with the pictures to tell you their password”.
So for the first 24 hours or so, the person(people?) responsible claimed to have a lot more of pictures available if people paid them. Did that ever manifest or was it just a bluff to get more money? Did any money actually change hands?