Leak of pirated photos raises questions about security of the cloud

Andrea Peterson, Emily Yahr and Joby Warrick (c) 2014, The Washington Post

The leaking of hundreds of private and intimate photographs of Hollywood celebrities cast new doubt on the security of popular online storage sites Monday as investigators probed for explanations of the high-profile breach.

Privacy experts joined Hollywood publicists in denouncing the leaks, which flooded websites over the weekend with nude images of more than a half-dozen A-list actresses and performers, including Jennifer Lawrence, the Oscar-winning star of “The Hunger Games” and “Silver Linings Playbook.”

The breach — regarded as one of the most wide-ranging involving celebrities — has spurred concerns about the security of photographs, videos and documents that millions of Americans store in popular Internet “cloud” accounts. Lawrence’s photographs allegedly were obtained from a personal iCloud account, a service operated by Apple and often used to automatically store photos taken by a user’s mobile phone.

- FWBP Digital Partners -

“This is a flagrant violation of privacy,” a spokesman for Lawrence said in a statement that threatened to seek prosecution not only for the hacker but also for anyone who redistributed the photographs.

The FBI said Monday that it was looking into the leaks. An Apple spokesman said the company was “actively investigating” apparent breaches of some of its iCloud accounts, but the company did not identify which accounts may have been compromised.

“We take user privacy very seriously and are actively investigating this report,” Apple spokeswoman Natalie Kerris told the technology website Recode.

Independent experts said the hackers appear to have deliberately targeted celebrity accounts, suggesting that it is unlikely that ordinary users’ files were compromised. Still, with official investigations just getting underway, it was unclear precisely what methods were used in stealing the photos and whether the thefts pointed to broader vulnerabilities.

- Advertisement -

Anonymous posters on the online message board 4chan — where the photos first surfaced — alleged that the photos were obtained from iCloud accounts. The first ones to appear were sexually explicit images of Lawrence, 24, who acknowledged through her publicist that private material had been stolen.

The statement sparked a frenzy of media interest by essentially confirming that the photos were real. Nude pictures of celebrities are frequently faked and posted around the Internet.

Shortly after the Lawrence photos appeared, anonymous posts on the 4chan site claimed that numerous celebrity accounts had been compromised by hackers who had successfully obtained risque photos of top actresses and singers, ranging from reality-show star Kim Kardashian to pop singer Rihanna.

As photos began popping up on 4chan and other sites over the weekend, some of the targeted celebrities weighed in. Sports Illustrated model Kate Upton’s attorney told the website Buzzfeed that she, like Lawrence, would pursue legal action against anyone who posted the images.

- Advertisement -

Actress Mary Elizabeth Winstead sought to shame the perpetrator with an angry message on the social media site Twitter. “To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves,” she tweeted. “Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.”

Not all the posted photos were deemed authentic: Nickelodeon actress Victoria Justice and Olympic gymnast McKayla Maroney said in Twitter messages that none of the pictures attributed to them was real. Pop singer Ariana Grande’s publicist also said pictures of her client were fake.

While the precise nature of the breaches remained unclear, security experts said there are several ways that hackers might have been able to break into iCloud accounts, if that is what happened. For example, a hacker could have obtained the email addresses of the victims and then tricked the service into resetting a password by guessing the correct answers to security questions.

In another scenario, the hacker might have found a still-unknown security vulnerability that allowed access to an iCloud account. On the day before the leak was made public, a way to “bruteforce” into an Apple account using an alleged vulnerability in the “Find My iPhone” application was posted to the popular code repository Github. The alleged security flaw reportedly has been patched.

A theory offered on Twitter by security expert Dan Kaminsky, chief scientist at WhiteOps.com, is that someone who was collecting a cache of the celebrity nudes may been hacked by the person or people who spread the images online over the weekend. If the photos were collected by an individual from different sources over a long period of time, it could explain why some of the images appear to be genuine and others are allegedly fake.

Security experts point out that if cloud storage was indeed the source of the photos, an easy security measure might have saved celebrities a lot of embarrassment. Most cloud services, including Apple’s, offer an extra safeguard known as “two-factor authentication,” which requires users to verify their identities in a two-step process using different passwords.

Hollywood stars have faced an exceptionally difficult time maintaining digital privacy in recent years, especially as prices offered for illicit photos by gossip sites increase.

Hackers can face serious punishment: In 2012, a man who pleaded guilty to email hacks that resulted in leaks of nude photographs of the actress Scarlett Johansson was sentenced to 10 years in prison.

Christopher Chaney, an unemployed Florida resident, said he stumbled upon the photos of Johansson after hacking into celebrity accounts. He received the steep sentence after Johansson’s emotional video testimony at his trial, in which she said she was “truly humiliated and embarrassed” by the leaked images.

Washington Post staff writer Rachel Lubitz contributed to this report.