ICloud leaks of celebrity photos




On August 31, 2014, a collection of almost 500 private pictures of various celebrities, mostly women, and with many containing nudity, were posted on the imageboard 4chan, and later disseminated by other users on websites and social networks such as Imgur and Reddit. The images were initially believed to have been obtained via a breach of Apple's cloud services suite iCloud, or a security issue in the iCloud API which allowed them to make unlimited attempts at guessing victims' passwords. However, access was later revealed to have been gained via spear phishing attacks.
The event, which media outlets and internet users referred to under names such as the "fappening" and "Celebgate", was met with a varied reaction from the media and fellow celebrities. Critics felt that the distribution of the images was a major invasion of privacy for their subjects, while some of the allegedly depicted subjects denied their authenticity. The leak also prompted increased concern from analysts surrounding the privacy and security of cloud computing services such as iCloud—with a particular emphasis on their use to store sensitive, private information.

Procurement and distribution

The images were obtained via the online storage offered by Apple's iCloud platform for automatically backing up photos from iOS devices, such as iPhones. Apple later reported that the victims' iCloud account information was obtained using "a very targeted attack on user names, passwords and security questions", such as phishing and brute-force attack guessing. It was initially believed that the images were obtained using an exploit in the Find My iPhone service. Court documents from 2014 indicated that one user created a fake email account called "appleprivacysecurity" to ask celebrities for security information. The photos were being passed around privately for at least a couple of weeks before their public release on August 31. There are claims that unreleased photos and videos exist.
The hacker responsible for the leak, who described themselves as being a "collector", distributed the leaked images on the image boards 4chan and Anon-IB in exchange for Bitcoin. Ultimately, the images were widely circulated online via other channels, including Imgur and Tumblr. Celebrity gossip blogger Perez Hilton also re-posted some of the photos on his blog, but soon took them down and issued an apology, saying "he had acted in bad taste".
A major center of activity was the link-sharing website Reddit, where a subreddit was created for sharing the photos; in a single day, it amassed over 100,000 followers. Reddit administrators were criticized for allowing this to take place in an alleged violation of their anti-doxing rules. As McKayla Maroney claimed to be under 18 at the time the photos of her were taken, Reddit staff took photos of her down and warned that anyone re-posting them, or underage photos of Liz Lee which had been circulating prior to this incident, would be permanently banned from the site and could be prosecuted for distributing child pornography. On September 7, citing copyright issues, Reddit banned its "TheFappening" subreddit, also saying the workload of dealing with them had become too much. Reddit banned another subreddit named "Fappening" on the same day.

Content and affected celebrities

The original release contained photos and videos of more than 100 individuals that were allegedly obtained from file storage on hacked iCloud accounts, including some the leakers claimed were A-list celebrities. Shortly after the photos were leaked, several affected celebrities issued statements to either confirm or deny the photos' authenticity. Celebrities who have confirmed the photos' authenticity include Jennifer Lawrence, Kate Upton and her husband Justin Verlander, Mary Elizabeth Winstead, Jessica Brown Findlay, Kaley Cuoco, and Kirsten Dunst, who also criticized the iCloud service. Jill Scott confirmed on Twitter that one of the leaked photos was of her while stating that another was fake.
Celebrities who have denied the photos' authenticity include Ariana Grande and Yvonne Strahovski. Olympic gymnast McKayla Maroney initially denied the images' authenticity on Twitter, then later confirmed that the photos were legitimate while also stating she was underage at the time they were taken. Victoria Justice denied that the photos were authentic but later stated on Twitter that she was pursuing legal actions and found the leak to be a massive invasion of not just her privacy, but of the privacy of all the celebrities affected by the leak. Reports in October indicated that Nick Hogan was the first male star to be directly targeted by hackers; however, Hogan denied the pictures' authenticity.
According to security expert Nik Cubrilovic, in addition to the photographs, other personal information such as text messages, calendars, address books, phone call logs and any other data stored on their phones and backed up to the service were also likely stolen.
On September 20, 2014, a second batch of similar private photos of additional celebrities was leaked by hackers. On September 26, 2014, a third batch was also leaked, which was dubbed as "The Fappening 3".

Reaction

Actress Lena Dunham pleaded on Twitter for people not to view the pictures, saying doing so "violat these women over and over again. It's not okay." Actress Emma Watson condemned not only the release of the photos, but also "the accompanying comments that show such a lack of empathy." Actors Seth Rogen and Lucas Neff also spoke out against the hackers and people who posted the pictures. Justin Verlander, then a pitcher for the Detroit Tigers, told the media prior to a game against the Cleveland Indians that he keeps his private life private and would rather focus on the Tigers' race with the Kansas City Royals for the AL Central title than be a distraction to his teammates. Security analysts have stated that the breach could have been prevented through the use of two-factor authentication, while a Forbes writer recommended turning off the iCloud "Photo Stream" feature entirely.
The incident has been given many names, including "The Fappening" and "Celebgate". The term "The Fappening" has received criticism from journalists like Radhika Sanghani of The Daily Telegraph and Toyin Owoseje of the International Business Times, who said that the term not only trivialized the leak, but also, according to Sanghani, " light of a very severe situation"; both articles used the term extensively to describe the event, including in the headlines.
In an interview with The Wall Street Journal, Apple CEO Tim Cook stated that in response to the leaks, the company planned to take additional steps to protect the privacy and security of iCloud users in the future. Notifications will be provided whenever data is restored to a device via iCloud and after logging into iCloud via a web browser, in addition to existing notifications when a user's iCloud password is changed. Additionally, Apple will broaden and encourage the use of two-factor authentication in future versions of its software and operating systems, such as the then-upcoming IOS 8. In conclusion, he emphasized that "we want to do everything we can do to protect our customers, because we are as outraged if not more so than they are."
Jennifer Lawrence contacted authorities and her publicist has stated that the authorities will prosecute anyone who posts leaked images of her. Forbes columnist Joseph Steinberg questioned whether the reactions by law enforcement and technology providers indicated that celebrities were being treated differently from ordinary Americans, which, in the case of law enforcement, may be illegal.
On October 1, 2014, Google was threatened with a lawsuit by lawyer Martin Singer for $100 million on behalf of unnamed victims of the leaks, alleging that Google had refused to respond to requests for the images to be removed from its platforms, " to act expeditiously, and responsibly to remove the images", and "knowingly accommodating, facilitating, and perpetuating the unlawful conduct".
In an interview with Vanity Fair, Lawrence called the leak a "sex crime" and a "sexual violation" and added, "anybody who looked at those pictures, you're perpetuating a sexual offense and you should cower with shame". This view was contrasted by another victim of the hack, Emily Ratajkowski, who told GQ, "A lot of people who were victims of said anyone who looks at these pictures should feel guilty, but I just don't think that's fair", and "I'm not sure that anyone who Googles it is necessarily a criminal. I think the people who stole the photos are".

Investigation

The FBI said that it was "aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter." Similarly, Apple stated that it had been investigating whether a security breach of the iCloud service was responsible for the leaked photographs, as per the company's commitment to user privacy. On September 2, 2014, Apple reported that the leaked images were the result of compromised accounts, using "a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet".
In October 2014, FBI searched a house in Chicago and seized several computers, cell phones and storage drives after tracking the source of a hacking attack to an IP address linked to an individual named Emilio Herrera. A related search warrant application mentioned eight victims with initials A.S., C.H., H.S., J.M., O.W., A.K., E.B., and A.H., which supposedly point to stolen photos of Abigail Spencer, Christina Hendricks, Hope Solo, Jennette McCurdy, Olivia Wilde, Anna Kendrick, Emily Browning, and Amber Heard. According to law enforcement officials, Herrera was just one of several people under investigation and the FBI carried out various searches across the country.

Guilty pleas

In March 2016, 36-year-old Ryan Collins of Lancaster, Pennsylvania, agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information resulting in an 18-month sentence. While no victims were named in the court documents, numerous media outlets connected Collins' case to The Fappening. During the investigation, it was found that Collins phished by sending e-mails to the victims that looked like they came from Apple or Google, warning the victims that their accounts might be compromised and asking for their account details. The victims would enter their passwords, and Collins gained access to their accounts, downloading e-mails and iCloud backups. In October 2016, Collins was sentenced to 18 months in prison.
In August 2016, 28-year-old Edward Majerczyk of Chicago, Illinois, agreed to plead guilty to a similar phishing scheme, although authorities believe he worked independently and he was not accused of selling the images or posting them online. On January 24, 2017, Majerczyk was sentenced to nine months in prison and was ordered to pay $5,700 in restitution to cover the counseling services of one unnamed celebrity victim.
Emilio Herrera, also from Chicago, had first been named in the press in 2014; he pleaded guilty to one count of unauthorized access to a protected computer to obtain information in October 2017. Herrera had accessed the accounts of unnamed celebrities and others but was not accused of being involved in leaking or sharing the photos and videos he obtained. He was sentenced to 16 months in jail in March 2018.
In April 2018, 26-year-old George Garofano of North Branford, Connecticut, pleaded guilty to one count of unauthorized access to a protected computer to obtain information. Garofano's attorney said he had been led into the phishing scheme by criminals.
On August 29, 2018, a federal court sentenced Garofano to eight months in prison.
On October 22, 2018, Christopher Brannan, a former Virginia teacher, became the fifth man to be convicted in relation to the hacking. Brannan pled guilty to federal charges of aggravated identity theft and unauthorized access to a protected computer. Through a phishing expedition, he hacked more than 200 people. In addition to his celebrity victims, Brannan targeted his underage sister-in-law, as well as teachers and students at the school where he used to teach. Brannan was sentenced to 34 months in prison on March 1, 2019.