The apparent leak of hundreds of naked photos purportedly belonging to more than 100 high-profile singers, actors and celebrities has raised questions of the safety and security of digital services.
On Sunday night, images of 101 high-profile stars, including Jennifer Lawrence, Ariana Grande, Victoria Justice, Kate Upton, Kim Kardashian, Rihanna, Kirsten Dunst and Selena Gomez, were posted on 4chan, an online image sharing forum, in an apparent hacking leak linked to the Apple iCloud service.
LIVE: Apple iPhone 6 event
Although the involvement of iCloud has not been confirmed, anonymous users on 4chan (the image-sharing forum where the photos were first posted) claimed on Sunday to have taken them from the service.
If activated, iCloud automatically stores photos, email, contacts and other information online, allowing users to sync this data across different devices (for example iPhones and iPads) or access it from any internet-connected computer using a log-in and password.
Although Apple’s encryption on the data itself is considered robust, access could have been gained through more indirect means - such as guessing users' passwords or simply resetting their accounts by finding their email address and then answering traditional ‘security questions’.
(Worried iCloud users can turn off photo syncing through Settings > iCloud on their iPhone or iPad, or, for additional security, set up two-step verification by following these instructions.)
Jennifer Lawrence, who confirmed via her publicist that the photos were genuine, has previously said: "My iCloud keeps telling me to back it up, and I'm like, I don't know how to back you up. Do it yourself,” while metadata retrieved from the images shows that the vast majority were taken using Apple devices.
However, this doesn't confirm that iCloud itself was hacked - it might simply be down to individual users’ poor password choices - and other theories as to how the pictures were obtained are also circulating online.
Security experts have suggested that a second cloud service, Dropbox, might be involved and that the massive scope of the leak (posters on 4chan claimed that close to 100 celebrities are affected) implies that “an employee with access to data somewhere made a private stash” and was subsequently hacked by another opportunistic individual.
The anonymous user who first posted the images online claimed to have additional leaks including explicit videos of Lawrence and requested donations via PayPal and Bitcoin in exchange for posting them.
Since the images were first posted online, tech site The Next Web has discovered the code for an iCloud-focused hacking program posted to the open-source website GitHub.
The program apparently exploits a flaw (now fixed) in Apple's 'Find my iPhone' service to guess passwords over and over again without being locked out. This method of hacking known as a 'brute force' attack uses a database of commonly uses words and phrases to guess passwords.
The program's creator told The Next Web that although they had not seen any evidence that the software had been used in the celebrity hacks, they admitted "that someone could use this tool".
Apple declined to comment.