Note, this is Part 1 of a two part article. Part 1 covers what happened, Part 2 focuses on steps people can take to limit their vulnerability to this type of attack.
The leak of hundreds of celebrity nude photos Labor Day weekend has many people pointing the finger at Apple’s iCloud. Many of the celebrities who’s photos leaked used iCloud to backup their phones. Apple claims the leak was the result of “a very targeted attack on user names, passwords and security questions.”
What does this mean?
As new information comes to light, the depth and age of the hacks is shocking. Gawker reports that “As far back as “a few weeks ago,” a Deadspin reader tipped the sports site to the alleged existence of a large collection of private photographs stolen from celebrities.” All investigations are circling to an unorganized online club of people who specifically tried to gain access to celebrities private images.
One of the victims of the hack, Mary E. Winstead said
Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.
— Mary E. Winstead (@M_E_Winstead) August 31, 2014
This online club of illicit photo traders has reportedly been dealing in these photos for years. Again, most of this info is pieced together from many reports, but supposedly someone decided to try to sell the cache of photos, and other traders caught wind and also decided to try to cash in, leading to the hundred or so photos to be leaked over the course of Sunday, August 31 throughout the day.
There are several possible ways that the hackers gained access to the sensitive pictures. Once the hackers knew the celebrity’s iCloud email address, they could either use a brute-force password cracking program (Apple closed the security hole that allowed this to be possible by Tuesday, September 2), or they could use information from articles and interviews with the celebrities to guess the password to their iCloud accounts, OR use that same info to reset the passwords by answering the security questions.
Once the hackers had the iCloud password, it is widely believe that they used law-enforcement tool Elcomsoft Phone Password Breaker (or EPPB as it’s commonly known as) to download and peruse iPhone backups from the Cloud. This tool is legal. If someone knows your iCloud username/email and your password, they can then download a backup of your entire phone to their computer, and peruse whatever they’d like, including texts, photos, and emails.