Late Sunday, Reddit and 4Chan exploded with one or more hackers dumping a large collection of stolen nude images from a long list of Hollywood celebrities. Among the celebrities affected are Jennifer Lawrence, Ariana Grande, Kate Upton, Kaley Cuoco, Aubrey Plaza, Victoria Justice, Mary Elizabeth Winstead, Becca Tobin, Jessica Brown Findlay, and Teresa Palmer. The list of celebrities posted Sunday at 4Chan was much longer (totaling over 100 female stars and athletes) so it is possible that more stolen photos are forthcoming.
Several of the stars representatives have confirmed the leaks of the stolen photos.
There has been much speculation about the source of the photos, with the Apple’s iCloud backup service being the most mentioned spot where a hack may have occurred. A variety of technical theories have appear – from insecurities with the FindMyiPhone API to the venue WiFi at the Emmy’s last month. Given the volume of stolen data the most likely explanation is that the hacker(s) had comprimised various e-mail accounts and gained access to the files via the connected services that work together with those e-mail accounts. For example, Google’s GMail also connects to a litany of services like Google Drive, Dropbox, Piccasa, and others. Many services allow users to login with Google credentials, so once a hacker has your e-mail account the have access to other services that are using Google authentication. You can see what apps have access to your Google account here. GMail was used as an example here, but it’s likely that online e-mail accounts from Apple, Microsoft, or Yahoo – if compromised – would yield similar access to a wide variety of information.
There is precedent for this. In 2012 Christopher Chaney was sentenced to 10 years in jail for hacking into personal e-mail accounts of over 50 people in the entertainment industry including Scarlett Johansson, Mila Kunis, Christina Aguilera, and Vanessa Hudgens. Via these e-mail accounts he was able to accumulate a large collection of personal nude photos of these stars which made their way online.
In this case Occam’s Razor would suggest that someone gathered login account information for the stars and culled pictures over a long period of time.
Obviously we are not going to publish the photos. If you must know what this is all about you can find the collection on Reddit.
