Revealed: Hacked nude celebrity photos had been on 'deep web' black market for a WEEK - and there could be even more to come



Nude photographs that shows multiple celebrities leaked online

O btained through Apple's iCloud and circulated web for at least a week



Photographs originated on deviant forum called AnonIB - not 4chan

Individual named online as the hacker denies he is the source

Bryan Hamade told MailOnline that he did view images but did not trade

Theft is believed to be the work of a number of hackers - not just one



They claim to have images of other stars, which have not been posted

Twitter is reportedly shutting down accounts disseminating the pictures

Lawrence's spokesman confirmed the nude photographs were published

Kate Upton's attorney called leaked pictures 'an outrageous violation'



The hacked nude photographs leaked online of actresses including Jennifer Lawrence and Kate Upton have been traded on the Internet for at least a week and could be just the tip of the iceberg of stolen celebrity pictures.

Exchanged on the deep web black market and deviant message boards specializing in stolen 'revenge porn' photography, the compromising pictures have been used as a currency of sorts among perverted members of these forums.

Indeed, in the aftermath of Sunday's mass dumping of naked pictures, these boards have descended into anarchy and infighting, with a civil war erupting between those who leaked the pictures and those furious their sordid, secret game has been thrown into the public eye.



Worringly for the general public is how simple the posters make their privacy theft seem - and raises the frightening prospect that Apple's iCloud used by millions is not safe for anyone to store sensitive information on.

Scroll down for video



Selfies leaked: Jennifer Lawrence was the victim of a hacker who posted more than 60 revealing images of the actress online

In the days before the stolen images were uploaded en masse to the 4chan anonymous image-sharing forum on Sunday, the Internet had been awash with claims by web-perverts that they were trading in the embarrassing photographs.

Among these boasts were that the hackers had accumulated pictures of at least 100 celebrities - and were biding their time before releasing them all online.

However, these outrageous claims seemed to originate not on 4chan, but the pornographic image board, AnonIB, which focuses usually on pornographic photographs of non-celebrity women.

During the last week, threads dedicated to Jennifer Lawrence that claimed to contain genuine images of the naked actress began to flood AnonIB - now proved to be real following the actresses confirmation that the pictures are indeed her.



According to those with knowledge of the threads on AnonIB and 4chan, the hacking of the nude pictures from Apple's iCloud was not a sudden smash and grab raid on the privacy of the women, rather collected over time until the list of their alleged victims stood at 101 in total.

Almost a week ago: These posts taken from AnonIB reveal the beginnings of boasts in updates which refer to Jennifer Lawrence and a 'major win'

Boasts: The posts from one week ago are in reference to Jennifer Lawrence's nude pictures being traded online on AnonIB Disbelief: Some posters openly questioned whether the Jennifer Lawrence threads were really genuinely showing pictures of the star

Realization: On Sunday it dawned on users of AnonIB that the images being peddled for the past week online were in fact genuine

It also seems that the hacking may not even be down to one individual, but may in fact be the work of a number of people.

Denial: Georgia software engineer Bryan Hamade has claimed he has been falsely identified as the hacker online by reddit

The first sign that pictures of Jennifer Lawrence might be online was a post from AnonIB user on Tuesday 26 August that claimed a 'major win' for hackers looking for nude pictures of the Oscar winner.



However, many other posters on the anonymous board were skeptical that the pictures were of Lawrence, 24, until a slew of claims made by different posters all popped up on the board with the same revealing pictures.



One in particular bragged that he was 'ripping iclouds' - which is allegedly how the pictures were stolen.



However, in the posts the individual claims that the pictures have been online for some time - possibly weeks - which adds credence to the claims they possess the nude images of dozens more celebrities.



One person named online as a hacker by reddit users, has already come forward to deny any allegations against him.

Bryan Hamade told MailOnline that he was categorically not behind any hacking of celebrities private pictures and has not released any to the public.

He claims that he was identified after he lied to a reddit user to try and get bitcoins from them with a photoshopped picture of a celebrity.

This lie caused suspicion to fall on him and a huge reddit investigation reminiscent of their incorrect efforts to name the Boston bombers was launched.

'I am not the original leaker,' said Bryan to MailOnline.

'I only reposted one thing that was posted elsewhere and stupidly had my network folders visible.'

Hacked: Mary Elizabeth Winstead tweeted that nude photographs of her were taken with her husband 'years ago in the privacy of our home'

In an effort to cast the blame elsewhere, Bryan said that he believes the images released on 4chan may not have been leaked by the person or persons who stole them.

'The real guy is on 4chan posting intermittently,' said Bryan.

'He's most likely the one behind it but it does seem the photos passed around to multiple people before being leaked, so it may just be someone who has them and didn't hack to get them.

'I'd never in a million years know how to hack into any of the accounts listed.

'4chan just attacked me because they like to attack anyone in situations such as this.'

This comes as it was claimed a flaw in the 'Find My iPhone' function of Apple's iCloud service may have helped a hacker to steal nude photos of Jennifer Lawrence and '100 other celebrities', it today emerged.



The hacker claims he or she broke into stars' iCloud accounts, including those of the Hunger Games actress, Kate Upton and Rihanna, before publishing them on 4chan, the image-sharing forum.

A list of the alleged victims of the hack - 101 in total - has also been posted online; most of whom have not seen any photographs leaked by the hacker.



A spokesman for Oscar winner Lawrence confirmed to MailOnline the photos of her are genuine.



'This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence,' the emailed statement read.

Following the publication of the images of Sunday night, experts have voiced their concerns over how the hacker managed to access them. Now, reports suggest that a specific flaw in the 'Find My iPhone' service may have been to blame.

Despite the story breaking last night, Apple is still yet to confirm or deny whether its software was the target of the hacking.



Comment: Mary Elizabeth Winstead took to Twitter to speak about her nude leaked photos The hacking victim also offered support for other celebrities whose nude photos were leaked

Means: The naked photographs were reportedly obtained via Apple's iCloud service (pictured)

The firm's iCloud service, which was launched in October 2011 and is used by more than 320million people worldwide, secures data by encrypting it when it is sent over the web, storing it in an encrypted format when kept on server, and using secure tokens for authentication.

This means that data is protected from hackers while it is being sent to devices and stored online.

This suggests the hackers were able to obtain the login credentials of the accounts, and pretend to be the user, in order to bypass this encryption.

Earlier today, The Next Web spotted code on software development site Github, that would have allowed malicious users to use ‘brute force’ to gain an account’s password on Apple iCloud, and in particular its Find my iPhone service.

A message has since appeared saying that Apple has issued a 'patch' or fix for the bug.

'The end of the fun, Apple has just patched,' read an update on the post.

Brute force, also known as 'brute force cracking', is a trial-and-error method used to get plain-text passwords from encrypted data.

Just as a criminal might break into, or 'crack' a safe by trying many possible combinations, a brute-force cracking attempt goes through all possible combinations of characters in sequence.

In a six-letter attack, the hacker will start at 'a' and end at '//////'

Owen Williams from The Next Web, who discovered the bug, said: 'The Python script found on GitHub appears to have allowed a malicious user to repeatedly guess passwords on Apple's "Find my iPhone" service without alerting the user or locking out the attacker.

'Given enough patience and the apparent hole being open long enough, the attacker could use password dictionaries to guess common passwords rapidly. Many users use simple passwords that are the same across services so it's entirely possible to guess passwords using a tool like this.

'If the attacker was successful and gets a match by guessing passwords against Find my iPhone, they would be able to, in theory, use this to log into iCloud and sync the iCloud Photo Stream with another Mac or iPhone in a few minutes, again, without the attacked user's knowledge.

'We can't be sure that this is related to the leaked photos, but the timing suggests a possible correlation.'

Rob Cotton, CEO at web security experts NCC Group added: 'Cyber security is not just a technology problem, humans are very much key to its success. In our day-to-day work we see too many cases of employees divulging sensitive information without first verifying the legitimacy of the request.

'People often point the finger at technology when they've been the victim of a cyber attack, but poor password choices or naivety in the face of a seemingly innocent email is regularly to blame.'

Human error, in a variety of ways, said Mr Cotton, often played a part.

Find My iPhone helps users locate and protect their iPhone, iPad, iPod touch, or Mac - if it’s ever lost or stolen.

Despite the claims, it is possible that the photos were not taken via iCloud, but as a result of 'social engineering'.

This form of hacking works by studying which online services your target uses, before compiling as much information on them as possible, such as their email address, a mother's maiden name, a date of birth, and more.



This data can then be used to trick them into handing over their details or guess their password. If a celebrity uses the same password across accounts, this would be then make it relatively easy for someone to hack if they had the right information.

But the sheer number of names on the list makes this unlikely – unless a large number of hackers were taking part, and a large number of celebrities had poor password management.

Is it them? The hacker published what he or she claimed were naked photographs of Kate Upton (left) and Kirsten Dunst (right). Upton's attorney called the photos of his client 'an outrageous violation' of privacy



Did it happen? Cat Deeley was named as a victim whose photographs were stolen, but no supposedly 'nude' images of her have appeared online Nickelodeon star Victoria Justice wrote on Twitter that her image was faked. She tweeted, 'These so called nudes of me are FAKE people. Let me nip this in the bud right now. *pun intended*' However, this theory would account for Mary Elizabeth Winstead's claims that the leaked photos of her were taken with her husband 'years ago'.

This amount of time exceeds iCloud's Photo Stream facility, which keeps images for a maximum of 30 days before they are deleted.

Other notable services to allow users to access files remotely include Dropbox and Google Drive, which enable users to keep more of their files close to hand without taking up huge amounts of memory on their devices. When activated, iCloud automatically stores users' photos, emails, documents and other information in a 'cloud', allowing them to sync the data across a range of platforms. These include iPhones, iPads and MacBooks. Users can then access their information from any internet-connected device using a log-in and password.

Mysterious: A spokesman denied that nude photographs of Ariana Grande (left) were published. Hillary Duff was named as an alleged victim, though her apparently 'nude' photos have not appeared online On Sunday, the hacker wrote that he or she is accepting Paypal donations for a video which allegedly shows Lawrence performing a sex act. The hacker also wrote, 'I know no one will believe me, but i have a short lawrence video 'Is way too short, a little over 2 minutes and you only get to see her boobs 'Anyways, if somebody wants it let me know how i can upload it anonymously (i dont want the FBI over me, and you dont wanna know how I got this video.)'

'Jennifer Lawrence' became a Twitter trend on Sunday afternoon. Meanwhile, Perez Hilton has apologised on Twitter for posting some of the naked photos of Lawrence on his blog. The celebrity blogger, who has since deleted the photos from the site, told his followers: 'I acted in haste just to get the post up and didn't really think things through. I'm sorry.' He added: 'Upon further reflection and just sitting with my actions, I don't feel comfortable even keeping the censored photos up. I am removing them.'

A spokesman for Kate Upton sent MailOnline a statement from her attorney, Lawrence Shire, about the leaked photos.



Victims? Nude photos of Selena Gomez (left) and Kim Kardashian (right) were also allegedly hacked and acquired. But no photographs have appeared online



Denial: Victoria Justice said on Twitter that nude photos which claim to show her are fake 'This is obviously an outrageous violation of our client Kate Upton's privacy,' the statement said. 'We intend to pursue anyone disseminating or duplicating these illegally obtained images to the fullest extent possible.'

Actress Mary Elizabeth Winstead, who confirmed she was a hacking victim, wrote on Twitter 'To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.'