FBI probes celebrity photo hacks, Apple confirms investigation

FBI probes celebrity photo hacks, Apple confirms investigation

Summary: The hunt for hackers and leakers behind the massive celebrity leak on Sunday begins.

TOPICS: Security, Apple

The FBI has reportedly begun inquiries into reports that hackers stole and leaked private and intimate pictures of over 100 celebrities.

According to Associated Press, the FBI said on Tuesday it is "aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter." Exactly how it's addressing the matter isn't clear, but presumably it will need to clear up whether there was a breach in the first instance.

While the FBI leads a range of computer crime investigations, the last major celebrity hack it investigated came as part of the 11-month Operation Hackerazzi, which led to the arrest of a 35-year old who was accused of hacking the email accounts of individuals including Mila Kunis, Christina Aguilera, and Scarlett Johansson. The man was sentenced to 10 years in jail.

Since photos of victims of the latest hack began appearing on several websites on Sunday, much of the speculation about how the hacker acquired the photos has centred on iCloud. However, the source of the images still remains unknown and could just as likely have come from multiple sources.

Yesterday it emerged that Apple had fixed an serious security flaw in the Find My iPhone feature within its iCloud service, which is used to store photos, contacts, and content of iOS devices.

On Saturday, security researchers at HackApp posted a proof of concept exploit for an iCloud flaw that effectively flooded the site with password attempts without being locked out. The attacker would still need the email address victims used for their Apple ID.

The tool, dubbed iBrute, was designed to flood iCloud with the top 500 passwords found in the 2009 RockYou breach in which 32 million unencrypted passwords were publicly leaked. As ZDNet reported at the time, the top 20 passwords, were pathetic at best, with the most commonly used password being "123456".

HackApp yesterday said that its proof of concept no longer worked, suggesting that Apple had fixed the bug its tool exploited.

Apple has not confirmed whether it did in fact fix a flaw, however it told Re/code on Monday that it is "actively investigating" reports that iCloud accounts was breached.

"We take user privacy very seriously and are actively investigating this report," an Apple spokeswoman told the publication. ZDNet has asked the company for comment and will update the story if any is received.

Earlier this year Apple shot down claims that iCloud was breached after dozens of Australians woke up to find they had been locked out of their iCloud-connected devices by hackers. Apple told users to avoid re-using passwords across multiple services, suggesting victims’ passwords had been sourced from breaches at other services.

Read more on this story

Topics: Security, Apple

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Taking it seriously...

    If they took user privacy seriously, they would have rate limited their password accesses. That's really basic security 101: doesn't need rocket surgery to figure out. Watch as they spend 5x more on PR than they ever did on their security for that services.

    Apple's technology under-spending is nothing new. iOS is an embarrassment of bugs whenever a new version comes out.
    • or...

      using common and easily guessed passwords is stupid. they have 2-factor authentication, what else do you want?
  • Picking and Choosing.

    It seems law in the US is very picky about who owns data.

    When it comes to average Joe, the data we have stored on the cloud isn't actually ours. However when it's 'High Profile' people it seems to actually be theirs and it's an infringement of their rights.

    How is it that upon putting data onto the cloud Governments can access it, and do, and the Vendor can access it, and do. But when someone else comes along and accesses it, it's a big no no.

    There are too many grey areas in digital ownership legality. And frankly I don't think anyone can accuse anyone of anything until a universally acceptable model for ownership of digital content and data is recognised and implemented.
    • Seriously?

      You do not see the difference between you volunteering your data to a vendor and someone stealing it? The Governement should be able to access it with a court order, that is the issue. Not that the government should not access information under any circumstances, for any reason. As for the "average joe" the Target hack was also investigated just to mention one recent attack.
      • Not quite.

        What I am saying is there is no definitive agreement that can determine where your data stops and someone else's begins. The legal systems of most countries have not caught up with technology, and because of that it allows the laws that are in place to be interoperated in radically different ways.

        The other point I'm making is that this issue seems to only be being taken seriously now, because it's celebrities. But this kind of thing has been happening to average people for years, and there has never been much fuss over it. Whether that's the fault of law enforcement not taking it seriously, the media not making a deal of it or the victims own fault is open to debate.

        What is agreeable from all this however is that it was easily avoidable both on the part of Apple and the Users.
      • are you volunteering your data

        to the NSA? Or are they just taking it? You missed the point of the OP.
  • Confidential files can be encrypted independently

    Probably all the cloud storage services are "hackable" to some extent, or authorize their own staff to access user data for various reasons. The way around it is to independently encrypt uploaded material when it is confidential. I don't use Apple, but encryption like ENCFS (e.g. BoxCryptor, or equivalent Android or Linux software) or even the now terminated TrueCrypt would have protected all these pics with a minimum of inconvenience. What cloud services are failing to do is advise their users that nothing, but nothing, they can do or will do is a substitute for independent file encryption.