LOS ANGELES: Scandal rocked both Hollywood and the US tech industry Monday after an apparent massive hack of a cloud data service unleashed a torrent of intimate pictures of celebrities onto the Internet.
Anonymous posters to online message boards boasted of having private images of scores of female stars including Oscar-winner Jennifer Lawrence, pop icon Rihanna and top model Kate Upton.
Early reports suggested hackers had “ripped” private images from tech giant Apple’s iCloud online data storage, but the firm made no immediate comment and other services may have been targeted.
Some of the pictures had previously been circulated on message forums, and others appeared fake, but some major stars expressed outrage at a new breach and threatened legal action.
“This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence,” Lawrence’s agent told entertainment media.
By late on Sunday, Twitter had begun suspending accounts that linked to the Lawrence photos, tech news site Mashable reported.
Among the scores of celebrities whose pictures were allegedly stolen were Scarlett Johansson, Winona Ryder, Avril Lavigne, Amber Heard, Hayden Panettiere, Hope Solo and American actress Mary E Winstead.
A spokesperson for actress and pop star Ariana Grande told BuzzFeed that images said to be of her are “completely fake.”
But horror movie actress Mary Elizabeth Winstead confirmed that some of her private pictures were in circulation and condemned those who stole them and who circulated them.
“To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves,” she tweeted. “Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.”
The scale of the breach became apparent on Sunday when users of the 4chan message board, a diverse online community that has been criticized in the past for misogyny, began posting pictures.
Some more mainstream news and entertainment sites took up the story—and some linked to the images before taking them down amid legal threats and public outrage.
According to a report on news and gossip site Gawker, users of a AnonIB—an anonymous photo-sharing platform focused on stolen images of women—have been boasting of a hack since last week.
Some users — hiding behind pseudonyms — made an apparent attempt to sell the pictures or to trade them with fellow hackers for others. Tech news site The Next Web reported what it said was evidence that hackers had found a weakness in Apple’s “Find my iPhone” service, an app that tracks lost or stolen handsets.
Apple has patched the alleged hole, the report said, but not before news of it spread in the hacker community, allowing unscrupulous strangers to access private online data. The scale of the hack, and the targeting of women in the public eye, quickly revived the debate on social media about privacy concerns and about misogyny on the Internet.
The scandal also posed a public relations challenge to tech companies, who have been marketing online storage like iCloud, DropBox or GoogleDrive as a safe haven for users’ private data.
Several popular tech blogs marked the story by providing advice on storing private data safely, by using advanced encryption and two-step password identification or by keeping it offline.
LONDON: The leak of pictures and, allegedly, videos of Jennifer Lawrence by an unknown hacker has security experts – and Apple – puzzled. A number of those named have come forward to say that photos claimed to be of them are faked, while others claim they were deleted.
With any hack, the principal questions are: What was the avenue of attack? And where were the photos and videos – if they were real – downloaded from? The most headline-grabbing possibility for the source of the photos — a full-on frontal-assault ground-up hack of Apple’s iCloud service — is also the least likely. Large companies like Apple have dedicated in-house security teams who attempt to break into their own systems regularly.
“A wide scale ‘hack’ of Apple’s iCloud is unlikely. Even the original poster is not claiming that,” noted Rik Ferguson, vice-president of security research at Trend Micro. As with the many celebrity hacks (and daily hacks that affect less famous people), the simpler and more likely explanation is the leak of an email and password combination, either through guesswork or “phishing”, when users are fooled by authentic-looking sites into entering their login details, which are then used against them.
Apple is still investigating what is claimed to be an attack on its iCloud service, which is used by iPhone users to store settings and, crucially, which backs up photos taken with the phone to “cloud” servers. If you have a user’s email address and password for their iCloud service, you can log in to their account and download those photos and other details.
Ferguson suggests that the hacker may have used the “forgot password” link on Apple’s iCloud system after gathering the celebrities’ email addresses — perhaps from the address book of another hacked device. Independent security expert Graham Cluley points out that American actress Mary E Winstead may have thought that she had deleted the photos from her phone — but with modern smartphones, deleting a picture from the phone does not always mean that no copies exist.
‘Deleted doesn’t always mean deleted’
Modern smartphones routinely save photos to the cloud because they often lack enough capacity for the huge number of photos that people take. Apple’s iPhone by default saves photos to iCloud; Google’s Android to its Google+ service; Microsoft’s Windows Phone to its OneDrive service. Third-party services such as Dropbox also offer automated photo and data backups. “People take photos and zap them, but don’t realise that they are being uploaded,” Cluley told the Guardian. Ferguson agrees: “Deleted doesn’t always mean deleted,” he notes.
Those photos and videos can remain stored for years. If someone then gets hold of a user’s email and password, they can re-download all the photos — and also any videos that might have been sent by email. For an Apple device, the photos can be downloaded on to a Mac or Windows PC, or any Apple device.
“Two-factor authentication” protects against such hacks because it requires anyone setting up a copy of an existing account on a new device to enter a code that is sent to the primary device — usually a phone. Without that, access is blocked. Apple, Google, Microsoft and Yahoo all offer two-factor authentication on accounts, though it is not known how many, if any, of the affected celebrities used it.