A hacking incident, which reportedly impacted over 100 celebrities whose personal photos, including nude images, were posted online, is now being investigated by the FBI and Apple.
On Sunday, the photos were published on message board 4chan before going viral, and catching the attention of targeted starlets, such as Academy Award winner Jennifer Lawrence, who was said to have contacted police about the matter.
Theories that the publicized hack leveraged vulnerabilities in Apple’s iCloud service soon cropped up, and on Tuesday Apple told The Wall Street Journal that it was investigating the reports. That same day, the FBI confirmed with news outlets that it was also investigating the incident.
As those interested in the initial attack method also searched for answers, one explanation that came forth was that celebs’ personal photos, and in some cases videos, were accessed via an AppleID password cracking proof-of-concept, called “iBrute,” which targets a weakness in Apple’s “Find My iPhone” service accessible through iCloud.
The iBrute tool was released by HackApp a day before the incident, however, inciting researchers who discussed the PoC at DefCon Russia this weekend to defend themselves in an official statement on Monday.
On the DefCon Russia website, the group stood by researchers‘ claims, saying that it was “very unlikely that iBrute was used for this attack, but maybe evil guys found [the] same bug and used it,” possibly through a different attack vector. On Monday, HackApp said via Twitter that Apple patched the Find My iPhone bug, making the tool “not applicable.”
On Tuesday, SCMagazine.com reached out to Apple about the reported security issues impacting iCloud, but the tech giant did not immediately respond with comment. Along with Jennifer Lawrence, celebrities who were also victims of the Labor Day weekend photo leak include Rihanna, Kate Upton, Kirsten Dunst and dozens of others.
In another incident, one hacker, also tied to the theft of racy photos of celebrities, including Scarlett Johannson and Mila Kunis, pleaded guilty in March 2012 to breaking into starlets’ email accounts in order to access private images, emails and other documents. The Florida man, Christopher Chaney, was sentenced to 10 years in prison that December for his crimes.
UPDATE: On Tuesday, Apple released a media advisory on the “celebrity photo investigation,” saying that, after more than 40 hours of looking into the incident, it found that “certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet.”
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone,” Apple said via the statement. The company advised users to implement strong passwords as a security measure, and to enable two-step verification for their accounts.