How were the photos for The Fappening obtained? How did the leak/hack occur?

As you will by now have probably read, around 100 women celebrities (including Jennifer Lawrence, Ariana Grande, Victoria Justice and Kate Upton) have had naked and explicit pictures seemingly hacked from their iCloud accounts and published online, first on 4Chan and now all over the place. As a reminder, iCloud automatically stores photos, email, contacts and other information online, allowing users to sync this data across different devices. Many of the photos have been confirmed as being genuine, most notably by Lawrence.

The anonymous hacker who originally posted the images first on 4Chan claimed they were taken from iCloud accounts. They demanded donations via PayPal and Bitcoin in exchange for posting them, but only received 0.2545 BTC in donations, which is verifiable at this address: 18pgUn3BBBdnQjKG8ZGedFvcoVcsv1knWa

While it’s highly unlikely to be a security issue with iCloud, the incident has served to remind us all of the issues around internet security in general.

So what do we know about the celebrity photo hacks?

THE MEDIA
The mainstream media is reporting the phones were “hacked”. As usually, this is rarely defined.

Lawrence has previously said she uses iCloud, once saying: “My iCloud keeps telling me to back it up, and I’m like, I don’t know how to back you up. Do it yourself.” Metadata in the images shows that the vast majority were taken using Apple devices.

THE ‘HACK’
There is a suggestion that iCloud has been “hacked”. There has been absolutely no confirmation of this from Apple.

It’s highly unlikely that the “hacker” (or it may have been a group of hackers) was not able to breach Apple’s security in general, but instead targeted specific victims using a combination of social engineering, cracking the password or using Apple’s “Forgot my password” route. They could also have used other less technical methods (it’s usually the non-tech method that turn out to be the culprit, btw).

GUESSING EMAIL ADDRESSES AND PASSWORDS
Jennifer Lawrence was once quoted in a Time article about her email address containing a key word. Not a wise move. Never give clues in the public domain. Once an email address is known, a hacker could email the target person purporting to be something else (Apple’s iTunes for instance). The target puts their email and password into the hacker’s fake page. Voila.

This phishing attack is emerging as a likely culprit.

Also, having the same password for multiple products (such as eBay and Amazon) means a hacker, if they can get one account right, could use the same password to access your email or iCloud.

Also, Apple’s “Forgot my password” system means that if you know the victim’s birthday and the answers to some security questions, you might gain access to their account. There is a LOT of information out there on celebrities, so coming up with ideas for passwords is entirely possible.
Once inside it’s not possible to see photos or videos which are automatically uploaded from your iPhone to iCloud but you can use software to download it all. Again, voila.

iCLOUD’S SAFETY MECHANISM
To gain access to Photostream, you would need to login with the iCloud user name on a new OSX or iOS machine. If you do that, iCloud sends you an e-mail that a new machine has logged in. You also get a notification on all the other machines using your iCloud account (iPhone, iPad, Mac) telling you a new machine is logged in. So, basically, when you get both mails and notifications, the normal reaction would be to realise you were being hacked and to change your password immediately. Since the notification is almost instant, changing the password very quickly would mean Photostream wouldn’t be able to sync to the Hacker’s machine fast enough for it to download 30 days of photos.
This is one of the main reasons why most experts don’t suspect this incident to be a hack of iCloud.

A PROPER HACK
Another method might be a ‘brute force attack’ on an iCloud account via an automated program. This is hard on iCloud, though theoretically possible.

The Next Web suggests that a Python script on Github (and shared on Hacker News) recently allowed malicious users to ‘brute force’ a target account’s password on Apple’s iCloud, thanks to a vulnerability in the Find my iPhone service. Apple appears to have already patched the hole, however.

There’s no official confirmation this is the culprit though.

WAS IT VIA ANOTHER SERVICE?
Since many of the images appear to have been taken with Android devices and webcams, the leaked images may not have originated from the iCloud photo backup service at all. Many services have automatic backup tools, and could be accessed in similar ways to iCloud (as above).

SNAPCHAT?
Some of the photos had text overlaid. Were they from Snapchat? Probably not. These are most likely screen shots on someone’s phone.

VIA Wi-Fi?
Were phones hacked via WiFi, perhaps at a celebrity event? This is also not known or confirmed.

AN INSIDER?
Personal assistants and bodyguards often have access to celebrity phones. It’s a possibility. Was this hack an employee with access to data somewhere? Again, there’s on confirmation of this (and no suggestion it happened).

A STOLEN DEVICE?
There is always the physical theft of a phone or laptop of a celebrity or belonging to someone well-connected to celebrities.

What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public. The networks are broken down horizontally with specific people carrying out specific roles, loosely organized across a large number of sites (both clearnet and darknet) with most organization and communication taking place in private (email, IM).

The roles in the networks break down as:

1. Users who scour Facebook and other social media looking for targets and collecting as much information as possible. ...
2. Users who use the target data to retrieve passwords or authentication keys. ...
   
3. Users who take a username and password or authentication key and then “rip” the cloud based backup service ...
   
4. Collectors aggregate the data stolen by other users and organize it into folders. The two most popular services to use are Dropbox and Google Drive. ...

iCloud is the most popular target because Picture Roll backups are enabled by default and iPhone is a popular platform. Windows Phone backups are available on all devices but are disabled by default (it is frequently enabled, although I couldn’t find a statistic) while Android backup is provided by third party applications (some of which are targets).
...
Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. The recovery process is broken up into steps and will fail at each point. While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple.

It is unknown how many hackers were involved in retrieving all the data, but the suggestion is that the list of celebrities was the internal list of one of the trading networks. Timestamps, forum posts and other data suggests that the collection was built up over a long period of time.

The first post from this set that I could track down was nearly 5 days to the story becoming public, on the 26th of August. Each of those post was a censored image with a request for an amount of money for an uncensored version. After numerous such posts and nobody paying attention to it (thinking it was a scam) the person behind the posts began publishing uncensored versions, which quickly propagated on anon-ib, 4chan and reddit. My theory is that other members of the ring, seeing the leaks and requests for money also decided to attempt to cash in thinking the value of the images would soon approach zero, which lead to a race to the bottom between those who had access to them.

As you may have listened, many private, naked and about bare superstar photographs — of Jennifer Lawrence and Kate Upton, among others — were spilled onto the web on August 31. In spite of a really amazing number of stories that attempt to forward problematic hypotheses about different potential assault vectors as truth, there is still no unmistakable confirmation of how the private photographs were gotten.

5+ Fake Celebrity Nude Sites

It's possible that the photographs were gotten by means of a "raving success and get" zero-day powerlessness in iCloud, but at the same time it's conceivable (and more probable) that another far less demanding technique was utilized, for example, skewer phishing, to accumulate the photographs over a drawn out stretch of time. Apple says it's examining whether iCloud was hacked or not, and probably it will have more information soon.

Meanwhile, how about we examine how the big name nudes might've been acquired. The size of the break would appear to propose that there's some basic component that ties the big names together, which enabled programmers to rapidly get to various records at one time.

One probability is that the majority of the big names utilized iCloud to go down their photographs, and a programmer (or gathering of programmers) found a zero-day weakness in iCloud that enabled them to access the photographs.

iBrute iForce iHack

The breach of the celebrities’ iCloud accounts was reportedly made possible by a vulnerability in Apple’s Find My iPhone application programming interface—at least, that's what has been suggested. Proof-of-concept code for the exploit, called iBrute, allowed for brute-force password cracking of accounts. It was uploaded to GitHub on August 30, just a day before the breach occurred, as ZDNet’s Adrian Kingsley-Hughes noted. Apple patched the vulnerability early on September 1.

All the brute force attack did was test combinations of e-mail addresses and passwords from two separate “dictionary” files. It required knowledge (or good guesses) of the targets’ iCloud account e-mail addresses and a huge list of potential passwords. Because of this weakness, the Find My iPhone service did not lock out access to the account after a number of failed attempts—so the attacker was able to keep hammering away at targeted accounts until access was granted. Once successful, the attacker could then connect to iCloud and retrieve iPhone backups, images from the iOS Camera Roll, and other data.