Apple Inc. (AAPL), which is poised to unveil new iPhones next week, and the FBI are probing reports hackers used the company’s iCloud service to illegally access nude photos of actress Jennifer Lawrence and other celebrities.
Hackers posted the nude photos on the anonymous image-sharing website 4chan, the Telegraph in London reported. The photos targeting more than 100 U.S. and U.K. celebrities were allegedly obtained by breaking into iCloud accounts, the newspaper said. A representative for Oscar winner Lawrence, in an e-mail, called the situation a “flagrant violation of privacy” and confirmed that the photos were hers.
“We take user privacy very seriously and are actively investigating this report,” Nat Kerris, a spokeswoman for Cupertino, California-based Apple, said without providing additional details.
Graphic: Data Breaches in the U.S.
The iCloud service, a key part of Apple’s strategy to unite its iPhones, tablets and desktop computers, lets users store contacts, e-mails, photos and other personal information on external systems they can access virtually. Apple has fixed a bug in its “Find My iPhone” software that may have allowed hackers to access celebrity iCloud accounts through so-called brute-force attacks that try multiple passwords, the Engadget technology website reported, citing developers.
The U.S. Federal Bureau of Investigation released a statement yesterday saying the agency is aware of the allegations “concerning computer intrusions and the unlawful release of material involving high profile individuals.” The agency is “addressing the matter,” Laura Eimiller, an FBI spokeswoman in Los Angeles, said by e-mail.
The FBI doesn’t typically confirm investigations as a matter of practice, Eimiller said by telephone yesterday. “Clearly there’s a high public interest, so we felt it appropriate to provide a limited statement,” she said.
The celebrity hack comes days before Apple’s scheduled Sept. 9 product announcement near its headquarters. Apple will introduce bigger-display iPhones and a wearable device at the event, people with knowledge of the plans have said. Anticipation for new products has boosted Apple’s shares 29 percent this year to a record. They rose 80 cents to $103.30 at the close in New York.
The risk to iCloud users will depend on whether the breach happened within Apple’s security or within the celebrities’ personal accounts, said Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security. Either way, some users may not understand when and how they are using such services, especially during the set-up.
“The data are leaving the devices that are in your possession and are now being stored on a server elsewhere,” Neuman said yesterday in a telephone interview. “For most things, that’s probably a good thing but for things that are sensitive, that’s a problem.”
Backups of iPhone data stored on personal computers and laptops aren’t automatically encrypted, said Paco Hope, a principal software security consultant in London for Dulles, Virginia-based Cigital Inc. Users must add the option manually. Backups sent to Apple are encrypted, he said.
“A garden variety hack into a celebrity’s PC might find photos in unencrypted backups, or even just as files on the PC,” Hope said. If a hacker “had access to an influential person’s address book, a movie or production company’s contacts, or some talent agency’s data, from there they could have phished a few movie stars, gotten more addresses and so on.”
Apple and its products have been hacked before. In 2012, more than 600,000 Mac computers were infected by hackers who used a vulnerability in Java, the widely used programming language that is administered by Oracle Corp. Apple drew heat from fans because it knew about the bug for two months before issuing a fix, a gap that let the infections spread.
Later that same year, technology journalist Mat Honan wrote about how security flaws in cloud-computing services let attackers compromise his AppleID account and erase all the data on his iPhone, iPad and MacBook, including family photos.
The celebrities hacked in the recent breach included reality TV star Kim Kardashian and singer Rihanna, the Telegraph reported. Actresses Selena Gomez and Kirsten Dunst also were among the cache, Time Inc. (TIME) reported on its website. The hackers promised to post more photos, Time reported.
“To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves,” actress Mary Elizabeth Winstead posted on Twitter. “Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this.”
One plausible explanation for a wide breach of private photos is by way of a password-retrieval system, said Woodrow Hartzog, who teaches privacy at the Cumberland School of Law at Samford University in Birmingham, Alabama. Customers generally recover forgotten passwords by providing information or answering questions about themselves. Celebrities are particularly vulnerable to hacks of these programs because so much of their life history, such as where they were born, is available in biographies, news stories and websites like Wikipedia.
“Data security is more important than ever before,” Hartzog said in a telephone interview. “We store our most personal intimate moments online, and it’s absolutely critical that that information stay as protected as reasonably possible.”
Once private information like nude photographs are made public, laws in the U.S. are inadequate to do much about it, Hartzog said. Remedies, including getting the data purged, are scant.
“These pictures are likely to still persist,” he said. “It becomes a very difficult thing for anyone, whether a celebrity or any other victim of non-consensual pornography, to be adequately helped under the law.”
Some of the hacked celebrities, including former Nickelodeon star Victoria Justice, said the photographs purported to be of them weren’t real. “These so called nudes of me are FAKE people,” Justice posted on Twitter.