in Uncategorized

Notes on the Celebrity Data Theft

An interesting aspect of information security is how periodically it collides with other industries and subcultures. With more information than ever being stored and shared online and on connected devices hacking stories are frequent and are mainstream news. This was the case yesterday as dozens of celebrities fell victim to hackers who leaked hundreds of private photographs and videos stolen from web based storage services.

The summary of the story is that a number of personal and private nude images from high profile celebrities started appearing on online image boards and forums – most notably on anon-ib, 4chan and reddit.

The first pictures were posted nearly a week ago, but didn’t get much attention since they were being ransomed (censored previews being shared in the hope somebody would purchase them). It was only after a number of intermediaries purchased the images and posted complete nudes in public forums that the story exploded.

At least a dozen celebrities were affected by the photo dumps, with over 400 individual images and videos. A list of celebrity names published anonymously, and serving as something akin to a sales brochure, suggests that over 100 have had their personal data compromised.

After this story broke I spent some time immersed in the crazy, obsessive subculture of celebrity nudes and revenge porn trying to work out what they were doing, how they were doing it and what could be learned from it.

1. What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public. The networks are broken down horizontally with specific people carrying out specific roles, loosely organized across a large number of sites (both clearnet and darknet) with most organization and communication taking place in private (email, IM).

2. The goal is to steal private media from a targets phone by accessing cloud based backup services that are integrated into iPhone, Android and Windows Phone devices. To access the cloud based backup requires the users ID, password or an authentication token.

3. The roles in the networks break down as:

  1. Users who scour Facebook and other social media looking for targets and collecting as much information as possible. Data collection includes utilizing public record services and purchasing credit reports. Obtaining data on a target includes setting up fake profiles, friending or following friends of the target, being persistent with extracting information that might help answer secret questions, approaching friends of the target, etc.
  2. Users who use the target data to retrieve passwords or authentication keys. There are numerous methods here and most have tutorials available online. The most common are RATs, phishing, password recovery and password reset. RATs are simply remote access tools that the user is either tricked into installing via private messages or in an email (link or an attachment) or that someone close to the target will install on their phone or computer with physical access. Phishing is sending the target an email with a password reminder or reset that tricks the user into entering their password into a site or form the attacker controls. Password reminder is gaining access to the users email account (again using secret questions or another technique) and then having a reminder link sent to access the cloud storage. Password reset is answering the date of birth and security question challenges (often easy to break using publicly available data – birthdays and favorite sports teams, etc. are often not secrets).
  3. Users who take a username and password or authentication key and then “rip” the cloud based backup services using software and toolchains such as Elcomsoft EPRB. The software is heavily pirated and supports being able to dump an entire backup set, including messages and deleted photographs.
  4. Collectors aggregate the data stolen by other users and organize it into folders. The two most popular services to use are Dropbox and Google Drive. The collectors will create preview images for each set and email them around to their contacts. Email addresses for collectors or those willing to trade or sell are available by referral, usually via somebody offering a hacking or ripping service.
Phishing template provided by one user for use by other users.

Phishing template provided by one user for use by other users.

4. The frequent source of new leads for targets seems to be newcomers who know somebody they want to hack and have stumbled onto one of the networks offering services via search terms or a forum they frequent. The new contributor will offer up a Facebook profile link, plus as much information as is required by the hacker to break the account, plus possible assistance in getting a RAT installed if required. In exchange the hacker and ripped will supply the person providing the lead with a copy of the extracted data, which they will also keep for themselves. This was one of the most unsettling aspects of these networks to me – knowing there are people out there who are turning over data on friends in their social networks in exchange for getting a dump of their private data.

5. In reviewing months worth of forum posts, image board posts, private emails, replies for requests for services, etc. nowhere was the FindMyPhone API brute force technique (revealed publicly and exploited in iBrute) mentioned. This doesn’t mean that it wasn’t used privately by the hackers – but judging by the skill levels involved, the mentions and tutorials around other techniques and some of the bragged about success rates with social engineering, recovery, resets, rats and phishing – it appears that such techniques were not necessary or never discovered.

6. iCloud is the most popular target because Picture Roll backups are enabled by default and iPhone is a popular platform. Windows Phone backups are available on all devices but are disabled by default (it is frequently enabled, although I couldn’t find a statistic) while Android backup is provided by third party applications (some of which are targets).

Edit Turns out that Google+ provides backup functionality for photos uploaded via the app, something I missed when checking Android. Thanks James for clarifying in comments.

7. Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. The recovery process is broken up into steps and will fail at each point. While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple. The second step is verifying the date of birth and it will pass or fail based on that data alone so can be guessed, while the last step are the two security questions. It would be a good idea for Apple to kill the interface on signup that shows new users if their email account is available to use as an iCloud account or not. It would also be a good idea to make the recovery process one big step where all data is validated at once and the user is not given a specific error message. It would also be wise to attach rate limits and strict lockout on this process on a per-account basis.

Being able to POST an email address to and getting back a response indicating if it is a valid account or not, with little to no rate limiting, is a bug.

7. a) edit To reiterate what the main bugs are that are being exploited here, roughly in order of popularity / effectiveness:

  1. Password reset (secret questions / answers)
  2. Phishing email
  3. Password recovery (email account hacked)
  4. Social engineering / RAT install / authentication keys

7. b) Once they have access to the account they have access to everything – they can locate the phone, retrieve SMS and MMS messages, recover deleted files and photos, remote wipe the device and more. The hackers here happen to focus on private pictures, but they had complete control of these accounts for a period.

8. Authentication tokens can be stolen by a trojan (or social engineered) from a computer with iTunes installed easily. Elcomsoft provide a tool called atex which does this. On OS X the token is installed in the keychain. The authentication token is as good as a password.

9. Two-factor authentication for iCloud is useless in preventing passwords or authentication tokens being used to extract online backups. 2fa is used to protect account details and updates.

10. There is an insane amount of hacking going on. On any day there are dozens of forum and image board users offering their services. While many of those offering to rip alone based on being provided a username and password are scammers, they will still steal the data and sell it or trade it.

11. OPSEC level of the average user in these networks is low. 98% of email addresses provided in forums as part of advertising or promoting services are with the usual popular providers (gmail, outlook, yahoo) who are not Tor friendly. Most users speak of using VPNs when breaking into accounts and suggest which VPNs are best, fastest and “most anonymous.” It was also incredibly easy for some of those involved in distribution of the latest leaks to be publicly identified (more on that later) and for servers with dumps to be found, etc.

12. The darknet forums provide a lot of tips in terms of the hacking steps and also provide databases of passwords, users and dox but in terms of distributing content are usually a step behind the publicly available image boards. They are definitely more resilient in terms of keeping content up once it is published, and might become more popular with users if more data is leaked. Overchan and Torchan have in the past day or longer been full of new users requesting darknet links to the leaked content, and they receive them.

13. The different file name formats, data inconsistencies and remnants such as Dropbox files being found in the dumps can be explained by the different recovery software used (some which restores original filenames, some doesn’t) and the dumpers and distributors frequently using Dropbox to share files. It is unknown how many hackers were involved in retrieving all the data, but the suggestion is that the list of celebrities was the internal list of one of the trading networks. Timestamps, forum posts and other data suggests that the collection was built up over a long period of time.


14. On the topic of OPSEC. Tracking down one of the distributors who was posting ransomed private images to 4chan and reddit was simple. He posted a screenshot as part of pitching the sale of 60 or more images and videos for a single celebrity but didn’t black out his machine name or the machine names of the other computers on his local network. A user on reddit did a Google search and tracked down the company he worked for (although they picked the wrong employee). Tracking each of those names linked one of them back to a reddit account that had posted a screenshot of the exact same explorer interface (the guy had a bad habit of taking screenshots of his own machine). He has denied being the source of the images, but he is definitely a distributor who purchased them from within the network since the ransomed set he posted were all images that did not and have not yet leaked.


Screenshot posted to 4chan as part of attempting to sell this set of images and videos. The posted was initially asking for $100 per image.

edit: Turns out Maroney was underage when these pictures were taken, which means this screenshot is an admission of posesssion of child pornography. Reddit mods on the fappening sub are desperately asking users to remove any images of her and other underage celebrities.


Screenshot posted by redditor who had his real identity linked back to the ransom screenshot above.

15. I personally don’t distinguish between somebody who stole the data directly and somebody else who “only” bought that data with the intention of selling it for a profit to the public.

16. It seems to have gone wrong for not only our identified friend but a lot of other members of this network over the past few days. It appears the intention was to never make these images public, but that somebody – possibly the previously identified distributor – decided that the opportunity to make some money was too good to pass up and decided to try to sell some of the images. The first post from this set that I could track down was nearly 5 days to the story becoming public, on the 26th of August. Each of those posts was a censored image with a request for an amount of money for an uncensored version. After numerous such posts and nobody paying attention to it (thinking it was a scam) the person behind the posts began publishing uncensored versions, which quickly propagated on anon-ib, 4chan and reddit. My theory is that other members of the ring, seeing the leaks and requests for money also decided to attempt to cash in thinking the value of the images would soon approach zero, which lead to a race to the bottom between those who had access to them.

17. In terms of staying secure the most obvious solutions are to pick a better password, set your security answers to long random strings and enable two-factor authentication. Further it is a good idea to ring-fence your email – use one email address that remains private for sensitive accounts such as your online banking, cloud storage etc. and then a separate account for communications whose address is made public. There is no privacy mode in phones and they lump together all your data and metadata in one large bucket, and the only solution if you wish to retain a more private or more anonymous profile is to run a separate phone with the account on there belonging to an alias. There is a reason why drug dealers carry multiple phones, it tends to work in terms of segregating your real identity.

18. There is no software that users will ever be able to install or upgrade that will make them completely secure. The responsibility is on both vendors and users. Users need to be aware of good password practices (unique passwords, long, passphrases) as well as the basics of anonymity and security (more on this in another post – attempting to tl;dr security tips in a few, small and simple to understand points)

Update: Apple have since released a statement:

Edit The businesswire link is down – the same statement is available in its original form on the Apple website:

After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.


  1. No the only save solution is to not make such photos. It is possible to get around your super secure password by acting like you to a support admin at most websites. On some machines, like phones, you won’t even be able to delete the data without going through additional hassles (and as far as I know even then it’s not 100% sure the data is gone). And sometimes it’s really just the guy the photo is meant for that shares it online or gets hacked. Increasing security is not increasing password strength but doing less things that might hurt you.

    • @Nope: “No the only save solution is to not make such photos.”

      No, Nope. The solution is to keep private data off the cloud. There isn’t a day that goes by where a government agency, banking site, online merchant, website, etal isn’t hacked either outright or by social engeneering. Cloud services are far from ready. This is just another sad example of a long line of sad examples re: reasons not to trust the cloud. It isn’t ready.

    • This is as much as a solution as “not going out” is the answer for not getting raped..

      • This is as true as it is true that taking nude selfies is equivalent to ‘going out’.

      • Mark, stop being one of those morons. This is not a feminist issue, this is s security issue that has only gotten this attention because it involves celebs. Sony has been hacked, NSA collects everything they can get their mits on. This is walking down a dark alley at 3am on the wrong side of town issue.

        the Internet by its very nature excludes privacy, if you do something out here, it will be found by someone.

      • Different ideas of solution:

        Not making nude shots = definitive solution
        Strong security = relative solution

        aside from being in bad taste the rape analogy has another downside:

        it is totally feasible to lead a happy life without doing nude shots of yourself, in fact human evolution and culture worked out quite well for millenia without nude selfies. going outside on the other hand is a requirement for living a healthy life.

        aside from that: whatever anyone does, one has a responsibility to protect oneself and the people around you and to minimize risk for everyone including oneself to get hurt. at least for grown-ups, little children of course are exempt, they can rely solely on others being responsible for them.

  2. And do you think the FBI will be locking for the hackers and the guy who trades/sell the pictures on the darknet, and possibly put down the network/forum ? or just the guys on the clearnet ?

  3. The people who are serious about security use an air gap. While not a perfect solution, it’s much simpler and much more effective (if less convenient) than any other suggestions offered here.

  4. Another overlooked aspect of these targeted iCloud breaches is that it is very easy to persistently, and surreptitiously track an iOS device once an account is compromised.

    A tool like Sosumi ( can be used to scrape geo-location data from the FindMyPhone web interface indefinitely. Unlike native apps, accessing geo-data in this way *does not* generate any kind of alerts to the user (no notification or GPS icon in status bar).

  5. What’s the link to your RSS? The feed link at the bottom isn’t working for me.

  6. Can you please elaborate on what you meant with the sentence fragment, “approaching male friends of the target, etc.”

    As we are discussing criminal behaviour I want to make sure I understand whatever insinuations are being made involving a specific gender, and what evidence there is to back it up.

  7. @nope – what are you going to do about other people that take pictures of you without your permission? lock yourself in a room alone, forever? some of my favorite pictures are taken by my husband while i’m napping. “stop taking photos” isn’t enough or feasible.

    people don’t say things like “stop shopping online” when credit card #s are obtained through phishing, so why now?

  8. Since it looks like you moderated my RSS feed question, I assume that you’ll see my followup as well. It looks like your RSS feed isn’t working with Feedbin specifically, as it went into Minimal Reader without a problem. I emailed them to see if it was a problem on Feedbin’s side or on your end.

  9. “Android backup is provided by third party applications (some of which are targets).” – Google+, which is preinstalled on most/all Android phones with Google Play Services, has an automated backup for photographs. This isn’t “third party”, since for most users it is an integral part of the OS. Automatic backups are turned off by default, but you are heavily recommended to turn this backup on. 2FA is required, as far as I can tell, for all account operations including access to these services – if 2FA has been enabled by the user.

    • Thanks for that – will update the post. For some reason I didn’t notice it either on my Android test device or on the website.

  10. “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.”

    What a weaselly worded statement!

    The reason the password mechanism was not “breached” is because it did not offer less security than intended because Apple never intended to put industry standard (say… gmail?) levels of authentication in place.

    All of the “this isn`t us its the all too common 4chan/internet/filthy porn kids these days” talk is actually an admission that Apple knows the Internet is a dangerous place. Not the kind of place you should connect high profile data to with substandard password authentication mechanisms. They did so anyway because… cloud.

    Apple is desperately trying to spin this into a filthy internet instead of a too crappy for critical business/government cloud story.

    A serious talk about crypto/access policy/the NSA can make centralized computing (mainframe-ish stuff really) and ubiquitous wireless camera/microphone clients a powerful force for affordable, profitable communication. (While every journalist was fapping to the pagesviews/ratings of the pics stories Microsoft actually put out a statement that it would refuse US courts)

    I hope Apples investors realize Apple PR drones are trying to salvage the Apple brand while sacrificing the the mix of skepticism, technical debate, crypto but also trust required to make “cloud services” a profitable future product line.

    Apple should not muddy the waters on the technical details of what happened and then expect people to pay for their “cloud services” in the future. This works as long as apple has some shiny hardware in the pipeline but so far apple is “innovating” just yet more of the same iPhones and iPads. This kind of “your cloud data isn’t our responsibility” talk means Apple has little future in cloud computing and trusted internet services.

    • I scanned their response at first and didn’t go back and read it again properly until someone on twitter insisted that what had happen was not hacking but rather just guessing passwords. This user got the impression it was “only” “guessing passwords” because of Apple’s denial. Most of the media are reporting it that way as well.

      They really should have put out a proper response and taken the opportunity to inform users, fix the endpoints that allow user ID validation and kill the secret questions.

      • I don’t think it’s unreasonable for a member of the general public to regard the dictionary attack (iBrute or whatever they called it) posted on Github as a “password guessing” attack, rather than “hacking”.

        The image most people have of hackers comes from Hollywood. They don’t really know what hackers do — and I think they’d be surprised at the mundane nature of much of it (especially the parts that don’t even involve computers, e.g. social engineering attacks).

        Apple informing them about exactly what happened probably wouldn’t change their view that this “wasn’t hacking”, because their image of hacking doesn’t match the reality.

        • I would think if anything this would lead people to make more complicated – or “strong” passwords. There are some good examples of this on the web – i.e. – use a passphrase – easy for YOU to remember – extremely difficult to “guess” or even brute force hack with 4 high end video cards processing everything in parallel.

          Cloud targets are a huge honeypot – since once you own that – or its data – you can do a lot of damage – or make a lot of money – either by selling your ill gotten data (photos, documents, etc…) or using it for other means – or even trading it on the ‘dark web’.

          What are the statistics – 11% of the population uses, “password12345” for their password … or less – I have known executives (older people – generally – not to stereo type) use 12345 as their main “password” – YIKES. Also, I think most people never put a lock code on their phone – now if its a flip phone with basic contacts and your number – that could do some damage – but if its a “smartphone” – one person could FUBAR your life – for a few weeks – or more – depending…

          Two factor authentication might be ideal, but if someone one bother to passcode lock their phone, why would they use two factor authentication?

          Back in the day, I even had a minor account brute force hacked – because it was a simple word and 4 semi random numbers … good thing it was not an important account – overall – but I did feel like someone borrowed one my older (yet nice) cars for a joy ride and brought it back a bit rough for wear.

          So IF people realize their password is easy to guess – for a computer – maybe more people could use pass phrases – say 16 to 48 characters – none of this 8 character, alpha numeric junk.
          Mary had a little lamb, little lamb, little lamb. Mary had a little lamb and her fleece was not white at all!

  11. “hey do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple. ”

    What would be an acceptable solution to this problem? Most cloud-based services use your e-mail address as the login, so you’ve always have to inform the user if an e-mail address is already associated during signup.

    • Solution is to drop the interactive feedback when you type in the email address you want to sign up with:


      And alternatively let the user know after they have submitted the entire form if the email is correct or not. They could also place a CAPTCHA on that form, or if they want to keep the ineractivity setup a throttle so that a client can only make 3, 4 or 5 requests. That would prevent people from writing a script that checks all possible email addresses. At the moment I can take a list of a million email addresses I find elsewhere and work out quickly which are valid Apple ID’s.

  12. Whatever font you are using for your blog, it is HORRIBLE. some vertical lines literally disappear entirely

    • I know – it is from Google Fonts but for some reason doesn’t render correctly in some browsers. Only noticed when I ran it with one of the test suites today.

      edit: killed the fonts. much better.

  13. Oh, enough with the “child porn” crap. It has been WELL established that simple boob shots are NOT pornographic. Sam Mendes didn’t get arrested for filming a 16 year old Thora Birch topless in American Beauty. To be considered child porn (and therefore prosecutable) it has to be sexually explicit. Meaning either genitalia or sex acts. So if there was a picture of someone licking her beats, it would probably be considered child porn. But not just simply showing them.

  14. The apple link doesnt work for some reason Nik. Reckon they saw your post and took it down? Would be pretty fast response if they did considering

  15. Very nice summarisation, but there is still something unclear to me. How they found the email addresses? I understood that the AppleID confirmation system but still you need to know the email address. You could brouteforce it and get it confirmed but still you don’t know for sure until you access the account. Could it be they used something else to gain the email addresses?

    • A few ways: looking up the address books of those they had already hacked, querying online personal data repositories such as intellius, web searching, social engineering.

      The first step of targeting where emails and facebook profiles are found is an entire little ecosystem on its own.

  16. Not entirely convinced that Bryan Hamade actually distributed any of the photos. The directory pic that was eventually linked to him had been previously posted on 4chan with folders and machine names blacked out. It looks like he photoshopped it to include his own folders and directories in an attempt to make it seem like he had an ‘uncensored’ copy of this screencap and was therefore an official leak. He posted this picture alongside a bitcoin address for donations. To me, it looks like he was one of the many bitcoin scammers operating on the 4chan threads who went the (short-sighted) extra mile to appear legitimate, only to have it blow up in his face. I’m sure he’d have been arrested by now if law enforcement considered him a genuine suspect – and, as we all know, intelligence agencies are quite well informed.

  17. What about a good old BlackBerry? It seems to be forgotten but Z10 while being a decent touchscreen phone doesn’t have (known) security flaws by design.

Comments are closed.


  • Yes, Watch is elegant, Pay is convenient, and Apple is back. But are we better off? | PandoDaily September 9, 2014

    […] photos were leaked, Apple said it found no instances of a breach in iCloud accounts, but others disagreed. And still others pointed out that it didn’t matter: iCloud, already disliked by so many, was […]

  • Apple: Untrustable « random($foo) September 9, 2014

    […] Notes on the Celebrity Data Theft (HN discussion) – Nik Cubrilovic gives technical commentary and context […]

  • Links: Myths, Mean Girls, identity, people lie about sex | The Story's Story September 9, 2014

    […] “Notes on the Celebrity Data Theft,” from a technical and social hacking […]

  • What’s worth reading | Shreyasp's Weblog September 9, 2014

    […] Celebrity data theft notes and economics. Key morale of the story: “There is no software that users will ever be able to install or upgrade that will make them completely secure” […]

  • Secure your Cloud Storage Accounts | Warren Hudson September 9, 2014

    […] For a more technical analysis of the attack, check out a post by Australian information security consultant Nik Cubrilovic at: […]

  • So, where was I? | Freedom Press September 9, 2014

    […] researcher Nik Cubrilovic says it’s likely that passwords and usernames were hacked to access information that had […]

  • What enterprises can learn from the iCloud celebrity photo hack | VentureBeat | Security | by Ryan Kalember, WatchDox September 9, 2014

    […] Apple has other security issues to consider as well. For example, its account recovery process, password requirements, and ability to detect if an email address has an associated iCloud account makes it almost too easy to verify a valid account using brute force attempts. […]

  • Liens vagabonds old et new media | Meta-media | La révolution de l'information September 9, 2014

    […] Vie privée: le “celebgate”, incident majeur via smart phones d‘Apple […]

  • iCloud security and personal responsibility | iPhoneMama September 9, 2014

    […] are just a few of the most common ways criminals try to hack iCloud accounts. There are and no doubt will be others. If you’re a high value target, you’ll need to […]

  • Эксперты: в Сети существует подпольный рынок эротических фотографий знаменитостей - BLACKSIDERS September 9, 2014

    […] и другой эксперт по компьютерной безопасности — Ник Кубрилович, который также общался с участниками подпольного […]

  • How to delete all your photos and videos from iCloud Permanently! - Moblivious September 9, 2014

    […] You can read how those accounts could get hacked and the advise on how to prevent yours to become a victim of the same scheme in the same press release, or for more elaborate explanation you may incline to read this notes. […]

  • Notes on the details of the celebrity data theft | September 9, 2014

    […] by jonfla [link] [9 […]

  • Two years later, a huge back door in iCloud is still wide open | VentureBeat | Security | by Dylan Tweney September 9, 2014

    […] been open so long, there’s an entire black market around stealing and selling naked photos of celebrities, as well as “revenge porn” (naked photos of women posted by disgruntled […]

  • j.r.mchale : Recommended: September 9, 2014

    […] Notes on the Celebrity Data Theft – Nik Cubrilovic at New Web Order. One of the best pieces so far about the recent leak of confidential celebrity photos. […]

  • Fotos de famosos desnudos: un modelo de negocio emergente en Internet September 9, 2014

    […] Se dice que las fotos circularon desde la semana anterior entre algunos grupos selectos en  4chan, reddit  y ANON-IB, sitio que ahora mismo muestra este mensaje: Maintenance. Please bear with us while we perform the scheduled maintenance. We expect to have the service back and running in a few days (thank you J.L). […]

  • Wednesday’s Worth Reading | Cartazzi :: Scott Johnson and AppData September 9, 2014

    […] Understanding the celebrity data theft. […]

  • The economics of stolen celebrity photos September 9, 2014

    […] is more here, with some interesting exposition as well, via Lawrence […]

  • ​5 Cyber security lessen van ondeugende Hollywood actrices | Thomas' prive blog September 9, 2014

    […] Wie na het lezen nog nieuwsgierig is naar meer technische achtergrond kan bijvoorbeeld terecht bij deze researcher of bij de bron van de iBrute […]

  • Minimizing Exposure from the iCloud » Cigital September 9, 2014

    […] they hacked our phones and got our selfies!” but corporations should be thinking about the circumstances that lead to this weekend’s leak. A group of individuals, using a variety of social engineering based credential/account compromises […]

  • Notes on Celebrity data theft from iCloud https:/... - Thej Live September 9, 2014

    […] Notes on Celebrity data theft from iCloud… […]

  • How the Fappening Hack Happened | Cuberhood News September 9, 2014

    […] Also, the guys that did it got caught. More information on how this happened on such a grand scale, and how a seedy corner of the web operates can be found here. […]

  • Links 9/4/14 | naked capitalism September 9, 2014

    […] Notes on the Celebrity Data Theft Nik Cubrilovic […]

  • The Social Fear Behind 'The Fappening' September 9, 2014

    […] and shut it all down? Hacker supremo Nik Cubrilovic posted a long article yesterday called “Notes on the Celebrity Data Theft” where he claims “There is an insane amount of hacking going on.” In the post, […]

  • It's Time To Kill The Online Security Question | It's Time To Kill The Online Security Question | Social Dashboard September 9, 2014

    […] were compromised. But it seems clear, both from Apple's statement on the matter and from the stated methods of similar hackers, that security questions played a big role in allowing hackers to gain access to their iCloud […]

  • Jill Scott Alleged nude photos of the singer have gone viral on Twitter. : KLIOU September 9, 2014

    […] to make some money was too good to pass up and decided to try to sell some of the images,” wrote security consultant Nik Cubrilovic of The Fappening. “My theory is that other members of the […]

  • The Leak Heard ‘Round the World — The Brooks Review September 9, 2014

    […] Security, and being secure, on the web is really hard and supremely annoying most of the time. That said, I really like Nik Cibrilovic’s thoughts on how to be more private: […]

  • This is bullshit: A rant on hacking, passwords, security and usability. – jessysaurusrex September 9, 2014

    […] According to Nik Cubrilovic, a security researchers who took a lead in digging around in investigating the photo leak, […]

  • It’s Time to Kill the Online Security Question | photo frame September 9, 2014

    […] were compromised. But it seems clear, both from Apple’s statement on a matter and from the settled methods of identical hackers, that confidence questions played a large purpose in permitting hackers to benefit entrance to their […]

  • Nude celebs on iCloud: Was Apple at fault? - Fortune September 9, 2014

    […] reporters are filing dispatches from the “crazy, obsessive subculture of celebrity nudes and revenge porn” where such photos are exchanged. British tabloids are in hot pursuit of “Original […]

  • Apple fails to learn from last big hack in iCloud exploit | Houston 2600 September 9, 2014

    […] Being able to POST an email address to and getting back a response indicating if it is a valid account or not, with little to no rate limiting, is a bug. – “Notes on the Celebrity Data Theft,” New Web Order, September 2, 2014 […]

  • Apple bestätigt Angriff auf iCloud-Accounts: So schützt ihr euer Konto besser » t3n September 9, 2014

    […] Zwei-Faktor-Authentifizierung. Wie der Geschäftsmann und Sicherheitsberater Nik Cubrilovic auf seinem Blog anmerkt, lässt sich der iCloud-Authentifizierungs-Token vergleichsweise einfach mit einem Tool wie […]

  • Notes on the Celebrity Data Theft | The Slow Tonsure September 9, 2014

    […] Notes on the Celebrity Data Theft  ✂︎ […]

  • Wake up: The celebrity nudes hack is everyone’s problemThe Warri Post | The Warri Post September 9, 2014

    […] This emanate isn’t a story about “right” or “wrong” ways of meditative about remoteness — it’s a wake-up call about confidence and sexuality. … The volume of private information burglary going on right now is insane. […]

  • Notes on the Celebrity Data Theft | Wheel of Misfortune September 9, 2014

    […] Cubrilovic has posted a detailed technical investigation into the recent and widely reported theft of celebrity nude photos. His post exposes the illegal […]

  • Wake up: The celebrity nudes hack is everyone’s problem | Nagg September 9, 2014

    […] This issue isn’t a story about “right” or “wrong” ways of thinking about privacy — it’s a wake-up call about security and sexuality. … The amount of private data theft going on right now is insane[2]. […]

  • Four short links: 3 September 2014 - O'Reilly Radar September 9, 2014

    […] Notes on the Celebrity Data Theft — wonderfully detailed analysis of how photos were lifted, and the underground industry built around them. This was one of the most unsettling aspects of these networks to me – knowing there are people out there who are turning over data on friends in their social networks in exchange for getting a dump of their private data. […]

  • | The Today Online September 9, 2014

    […] Edit Turns out that Google+ provides backup functionality for photos uploaded via the app, something I missed when checking android. Thanks James for clarifying in comments. […]

  • Culpar o iCloud pelo vazamento das fotos de celebridades é um erro duplo September 9, 2014

    […] Nik Cubrilovic (via John Gruber), após gastar algumas horas tentando entender o submundo dos vazamentos da intimidade, concluiu: […]

  • » Oto jak wykrada się nagie zdjęcia gwiazd. I to nie tylko z telefonów… -- -- September 9, 2014

    […] informuje Nik, pierwsze fragmenty archiwum z nagimi fotografiami gwiazd, o którym głośno stało się kilka […]

  • iCloud celebrity photo hack: texts, address books and more ‘also accessible’ – Sydney Morning Herald | September 9, 2014

    […] Cubrilovic, who has been investigating the saga since Monday, said victims’ calendars, text messages, address books and any notes stored on their iPhones […]

  • iCloud hackers likely got away with more than just naked celeb photos - September 9, 2014

    […] He goes into great detail about what is wrong with Apple’s current account recovery process and how that can be leveraged by hackers – read more in his lengthy blog post. […]

  • Apple: nessun leak di sistema su iCloud, foto delle star rubate da account personali | The Apple Lounge September 9, 2014

    […] fatto è chiaro, anche dal report accuratissimo di Nik Cubrilovic (quasi un post-mortem non ufficiale), che alla base del leak dei giorni scorsi non c’è […]

  • 苹果声称黑客是通过社会工程技术破解名人账号 | 我爱互联网 September 9, 2014

    […] iCloud 或 Find My iPhone 系统存在漏洞,声称黑客是通过社会工程技术针对性破解了名人账号,访问其云备份(不限于 iCloud,还有 Dropbox […]