Jennifer Lawrence Nu.de Photos Leak: Why the iCloud ‘Hacked’ Theory is Unlikely

On Sunday, nude photos of several celebrities including Oscar winner Jennifer Lawrence were leaked online in what was initially believed to be a hack of Apple’s iCloud service.

It is possible however that the actual hack did not take place against iCloud, but rather, another website from where login credentials were obtained and then tried on sites like iCloud. With most services using an email ID as your username today, hackers don’t even have to try and guess at your identity in most cases, and the same credentials can often work across multiple sites.

Su Gim Goh, Security Advisor Asia for F-Secure (which was recently in the news after it published a report about Xiaomi handsets sending users’ data to China without seeking permission), was in Delhi on Monday to discuss F-Secure’s biannual threat report, tells NDTV Gadgets that at this early stage, he doesn’t think the hack took place at iCloud at all.

“Security issues aren’t the problem of just one manufacturer,” Goh says, “but actual malware on iOS is still pretty limited. Obviously, we don’t recommend jailbreaking your phone,” he adds, and indeed, the malware that F-Secure has found for iOS so far has been only for jailbroken devices. “[for iCloud] I don’t know right now what happened, but the hackers could have actually gotten the usernames and passwords from any other site,” Goh says. “And then they could have run a program to keep trying usernames and passwords against iCloud to find the ones that work.”

If this is correct, then the leakers wouldn’t have had to bypass Apple’s security at all to get access to years’ worth of backups of people. From there, it would only be a question of identifying the accounts of famous people, and then sorting for the pictures to leak.

Some speculate that it could have been even simpler – according to 9to5mac, a vulnerability in the Find My iPhone service allegedly allowed hackers to repeatedly try different passwords for a user, without sending an alert to the user. This would allow brute force bypassing of the password.

It’s worth noting that Apple offers optional two-factor authentication for its users, which offers an additional layer of security, but the feature is not used my most users due to lack of awareness about its benefits, and indeed, its very existence.

Among the celebrities whose pictures allegedly were stolen and posted online were Avril Lavigne, Amber Heard, Gabrielle Union, Hayden Pannettiere and Hope Solo, according to Mashable. Media reports said among the other starlets targeted were Hillary Duff, Jenny McCarthy, Kaley Cuoco, Kate Upton, Kate Bosworth, Keke Palmer and Kim Kardashian.

“The problem is that most people don’t change their passwords, and they use the same password on different sites,” he adds. “And there’s actually an interesting chicken and egg issue here, which is that the longer and more complex a password is, the less likely users are to change it.”

When asked what people should do to protect their own data in such situations, Goh says that the more steps that are required to access your data, the better – such as enabling 2-step verification. Another step that Goh recommends is using a password manager. “A lot of people say it doesn’t really help,” says Goh, “but if it makes it even a little more complex for people to get your password then it’s worth doing. There are a lot of different applications available now, we have also launched on called F-secure Key [Android | iOS]. How many passwords can you remember? Every site needs a password now – you need one just to read the news.”

And this means that when you use the same password in a site with low security – Goh pointed out that sometimes, due to sloppy code, this information might even be passed “clear”, that is, without any encryption – then even a service with high security becomes vulnerable, in the absence of secondary measures like two-factor authentication.