Celebrity nude photos accessed by phishing, source says

Naked photos of Jennifer Lawrence and dozens of other celebrities were hacked from their Apple devices with the aid of phishing, according to a source familiar with the investigation.

Phishing is a technique that hackers use to get information by pretending to be a trustworthy entity to gain access to passwords, personal emails and other security details. The source, who spoke on the condition of annoymity, did not provide details about what happened. But in general, phishing involves hackers pretending to be a communications provider or computer company seeking to check security information.

The hacker or hackers involved in this case managed to garner the stars’ identities and passwords on Apple devices. That move allowed them to access photos stored on the iCloud that backed up their devices. Guessing the passwords of celebrities isn’t hard because so much of their lives is documented in social media, biographies and stories A knowledge of the star can also allow a hacker to defeat any security questions.

The tough bit of the scheme, according law enforcement officials and security experts, isn’t getting the passwords but obtaining the email addresses associated with the account.

To do that, the hacker or hackers would have to have compromised at least one or more people’s accounts that contained address information for a slew of actresses, models and athletes.

On Sunday, nude celebrity photos were uploaded to a message board and they quickly spread to more widely available media. Lawrence and Kate Upton’s representative confirmed that they were private genuine images stolen and that legal action would follow for those posting thm. Others like actress Victoria Justice, Arian Grande and McKayla Maroney denied that the photos were real. Kirsten Dunst, who appeared topless in an image, bemoaned the iCloud, sarcastically tweeting “Thank you iCloud…”

Apple on Tuesday said its iCloud storage was never breached but said its investigation found that individual accounts were compromised “by a very targeted attack on user names, passwords and security questions.”

The release of images revealed that Apple’s security was allowing an infinite number of guessed passwords, enabling what security experts call a brute-force attack in which a program keeps guessing password combinations until it gets the right one.