By now, you’ve probably heard that a massive cyberattack dubbed "TheFappening" or "Celebgate" resulted in the publication of nude and semi-nude photos of dozens of A-listers over the Labor Day weekend. Pop princess Ariana Grande, Glee star Lea Michele, soccer player Hope Solo, and our beloved Hunger Games actress Jennifer Lawrence were just a few of the more than 100 celebrities who were allegedly hit.
It’s unclear who exactly broke into these stars’ accounts, how they did it, and how long the plan was in the works. Apple has said at least some of the photos came from individual iCloud accounts that attackers broke into one by one, and not from a system-wide breach. The company and the FBI are still investigating.
It’s also unclear how many of the photos are authentic: some stars confirmed their pics were real, while others claim they were faked.
Here’s what we know so far.
It appears that the first photos from the Celebgate hack started to leak about a week ago, on August 26th, when members of the imageboard AnonIB claimed they had photos of Jennifer Lawrence and were "trading celebs and ripping iClouds."
One user began posting censored images and requesting a ransom payment to see the uncensored version. When his or her claims weren’t taken seriously, that user started posting uncensored images, which then proliferated as they were reposted and more sources of photos came forward.
"It appears the intention was to never make these images public, but that somebody – possibly the previously identified distributor – decided that the opportunity to make some money was too good to pass up and decided to try to sell some of the images," writes security consultant Nik Cubrilovic. "My theory is that other members of the ring, seeing the leaks and requests for money also decided to attempt to cash in thinking the value of the images would soon approach zero, which lead to a race to the bottom between those who had access to them."
"It appears the intention was to never make these images public."
On August 31st, photographs purporting to show female celebrities in the nude were posted to 4chan’s notorious /b/ board along with a list of more than 100 celebrities supposedly included in the leak. The victims included Lawrence, Mary E. Winstead, Kate Upton, and McKayla Maroney, who was underage when the alleged photos were taken.
The images, which appear to have been gathered over many months, spread quickly around the web. Entertainment blogger Perez Hilton posted photos of Lawrence on his website, before deleting them and apologizing in an emotional video. They have been particularly popular on Reddit, where they became the subject of a fast-growing new subreddit known as r/TheFappening.
It didn’t take long for celebrities to respond. Some of the victims, including Lawrence and Winstead, acknowledged the authenticity of the images. Others, such as Grande and singer-songwriter Victoria Justice, said the photos purporting to show them are fake.
On September 1st, Apple patched a vulnerability that allowed attackers to guess a password by brute force using a free hacker tool, which may or may not have been used in the celebrity attacks.
Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.— Mary E. Winstead (@M_E_Winstead) August 31, 2014
On Sept. 2nd, Apple confirmed that the iCloud accounts of an unspecified number of celebrities were compromised after hackers obtained their usernames, passwords, and the answers to their security questions. iCloud itself was not subject to a large-scale breach, Apple said. Meanwhile, the FBI said it is investigating the attacks.
Also on September 2nd, it was discovered that the leak contained photos of gymnast McKayla Maroney and actress Liz Lee that were taken when the women were underage, which implicates anyone who shared those photos of distributing child pornography. Moderators of r/TheFappening scrambled to get those photos off the site and began warning users in order to prevent the subreddit from being taken down and everyone participating arrested.
The collectors: The people who broke into celebrities’ accounts and obtained photos, as well as those who sold and catalogued them. They have not been identified to date.
AnonIB: This image board is the first known public forum where the collectors talked about the existence of a large cache of celebrity photos.
4chan: The celebrity photos and the list were first posted publicly on this anonymous image board.
r/TheFappening: A forum within Reddit where members started tracking everything related to the leak. Photos can be catalogued and searched on Reddit much more easily than on 4chan, which helps to explain why The Fappening became one of the fastest-growing subreddits overnight.
to every1 going on about my "nudes" & my "m&g prices" neither are real! my lil ass is a lot cuter than that lmao & tour details r comin soon— Ariana Grande (@ArianaGrande) September 2, 2014
Brian Hamade: A 26-year-old known as BluntMastermind on Reddit who allegedly tried to sell pictures of Lawrence in exchange for $100 each in bitcoin. His identity was outed by members of 4chan who fingered him as the source of the photos. In an interview with The Daily Mail, he denied that he had anything to do with the attack and claimed he only tried to sell one picture that was fake.
Jennifer Lawrence: The crown jewel in the collectors’ cache of stolen photos. Lawrence was brave enough to admit through a representative that the photos were real, but pledged legal retribution. Her name has led many a headline since the start of #Celebgate. She was also the inspiration for r/TheFappening’s foray into philanthropy, in which members encouraged others to donate to the Prostate Cancer Foundation in her honor as well as Water.org and other charities.
Apple: Initially, the collectors claimed the photos all came from a security flaw in iCloud, which Apple denies. But the company, which says it spent 40 hours investigating the leaks, admitted that some number of individual celebrity accounts were broken into.
How they did it
Exactly how the attackers got ahold of real photos will be hard to say until Apple and the FBI have concluded their investigations. However, it’s pretty clear that the photos were collected by a group of people who successfully guessed the passwords and security questions of individual celebrities.
It’s also clear that vast networks devoted to obtaining private photographs and other personal information through hacking have sprung up around the web, collecting data from celebrities and non-celebrities alike.
Vast networks devoted to obtaining private photos and other personal information via hacking have sprung up around the web
Collectors break into targets’ phones, retrieve images, text messages, and other data, using brute force password-guessing tools, social engineering, and hacker tools that allow them to download an iPhone’s full backup rather than the limited data on iCloud.com. They then trade and sell the images within their networks, aggregating and cataloguing them. ICloud is a popular target because the iPhone is so popular and it stores photo backups by default.
As crazy as this story seems, it’s actually happened before. Christopher Chaney, the "Hollywood Hacker," broke into the email accounts of more than 50 celebrities including Scarlett Johansson. He had monitored their social media accounts looking for clues to their passwords. Once he obtained access to one star, he’d look through their contacts to find additional targets. In 2012, he was sentenced to 10 years in prison.
Why it matters
The incident touches on multiple important trends: internet security, the right to privacy, the increasingly awful treatment of women on the internet, cyberbullying in general, and whether it’s okay to sext, among others.
The metadata in a number of the leaked photos also included location data, a scary possibility for the victims.
Some smart takes came from Kashmir Hill in Forbes, who wrote about why you can’t tell people not to sext; Sam Biddle at Valleywag, who wrote about how Apple needs to step up its security efforts; and T.C. Sottek at The Verge, who wrote about how privacy is only important to some people until hot naked women get involved.
Apple and the FBI are on the trail of the collectors who perpetrated the attack, and there is serious jail time at stake — particularly given that the leak included at least two victims who were legally minors at the time the photos were taken. The size of the leak and the clout of the victims suggests that the investigation will be a high priority. The attackers may escape forever, or they may be brought to justice in six months to a few years, deterring future attacks of this type.
There is serious jail time at stake
The outpouring of sympathy for the victims symbolized an interesting attitude shift from "don’t sext" to "sext safely" or "passwords are a really poor means of protecting your customers." Sexting is already twice as common as it was two years ago, and sext-positive attitudes are proliferating. Even as people like Ricky Gervais continue to shame the sexters, others are standing up to defend them. (Gervais deleted his offending tweet.)
The incident also serves as a reminder to anyone who uses smartphones, social networks, email, and the internet — almost everyone, in other words — to take security more seriously. Stories about widespread data breaches at companies like Target and JP Morgan Chase pop up almost weekly now, but somehow they just don’t pierce the public consciousness the way "Jennifer Lawrence nudes" does.