The leak of pictures and, allegedly, videos of Jennifer Lawrence by an unknown hacker has security experts – and Apple – puzzled. Though the hacker has posted a list of scores of female celebrities to a chatroom claiming to have more pictures of them, a number of those named have come forward to say that photos claimed to be of them are faked, while others claim they were deleted.



The list of those allegedly affected is long, and includes Jennifer Lawrence, Jenny McCarthy, Rihanna, Kate Upton and the American actress Mary E Winstead. With any hack, the principal questions are: what was the avenue of attack? And where were the photos and videos – if they were real – downloaded from?

The most headline-grabbing possibility for the source of the photos – a full-on frontal-assault ground-up hack of Apple’s iCloud service – is also the least likely. Large companies like Apple have dedicated in-house security teams who attempt to break into their own systems regularly.

“A wide scale ‘hack’ of Apple’s iCloud is unlikely. Even the original poster is not claiming that,” noted Rik Ferguson, vice-president of security research at Trend Micro.

As with the many celebrity hacks (and daily hacks that affect less famous people), the simpler and more likely explanation is the leak of an email and password combination, either through guesswork or “phishing”, when users are fooled by authentic-looking sites into entering their login details, which are then used against them.

Apple is still investigating what is claimed to be an attack on its iCloud service, which is used by iPhone users to store settings and, crucially, which backs up photos taken with the phone to “cloud” servers. If you have a user’s email address and password for their iCloud service, you can log in to their account and download those photos and other details.

The only block to that is if the account owner has enabled “two-factor authentication” (2FA) – an extra layer of security that will send a code to the owner’s phone before it allows login. Comparatively few people use 2FA, however, either because they don’t know about it or find it cumbersome.

Apple is still investigating whether the data was all taken from its iCloud service and, if so, to what extent users’ accounts were compromised. The company had no statement at the time of publication.

Ferguson suggests that the hacker may have used the “forgot password” link on Apple’s iCloud system after gathering the celebrities’ email addresses – perhaps from the address book of another hacked device. Alternatively, the stars used the same password on multiple services, which were captured through that.

Lawrence’s publicist says the photos are real, though not how old they are. In a tweet, Winstead suggested a longstanding effort by the hacker. “Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked,” she wrote.

However the independent security expert Graham Cluley points out that Winstead may have thought that she had deleted the photos from her phone – but with modern smartphones, deleting a picture from the phone does not always mean that no copies exist.

Modern smartphones routinely save photos to the cloud because they often lack enough capacity for the huge number of photos that people take. Apple’s iPhone by default saves photos to iCloud; Google’s Android to its Google+ service; Microsoft’s Windows Phone to its OneDrive service. Third-party services such as Dropbox also offer automated photo and data backups. “People take photos and zap them, but don’t realise that they are being uploaded,” Cluley told the Guardian. Ferguson agrees: “Deleted doesn’t always mean deleted,” he notes.

Those photos and videos can remain stored for years. If someone then gets hold of a user’s email and password, they can re-download all the photos – and also any videos that might have been sent by email. For an Apple device, the photos can be downloaded on to a Mac or Windows PC, or any Apple device. The hacker posted a screenshot claiming to be of so-far unreleased videos and images taken on a Windows PC.

“Two-factor authentication” protects against such hacks because it requires anyone setting up a copy of an existing account on a new device to enter a code that is sent to the primary device – usually a phone. Without that, access is blocked. Apple, Google, Microsoft and Yahoo all offer two-factor authentication on accounts, though it is not known how many, if any, of the affected celebrities used it.

Others have claimed that pictures allegedly of them are not authentic. A representative for Ariana Grande said the photos said to be of her are “completely fake”. Victoria Justice also tweeted that the “so called nudes of me are FAKE people. Let me nip this in the bud right now *pun intended*”

Cluley points to another possibility. Because those involved are celebrities, their accounts might have been hacked through someone who was handling their social media accounts or who regularly deals with their emails. “I wonder whether the agencies or some minion might be some part of this,” he mused. However, the stars named do not share a single publicist or management agency.

Another possibility is that someone who set up one or more of the victims’ systems, or helped configure one, secretly altered it so that any data would be passed back to them. That happened in the case of the “Hollywood hacker” Christopher Chaney, from Florida, who spread photos from Scarlettt Johansson and Mila Kunis’s email accounts in 2011, and was sentenced to 10 years in jail in December 2012 and ordered to pay more than $66,000 in restitution.

Chaney was accused of illegally accessing the email accounts of more than 50 people in the entertainment industry between November 2010 and October 2011; in one instance he sent an email from the account of Aguilera’s stylist to the star, asking for scantily clad photos, and then posted them online. Afterwards Chaney apologised, saying that his actions were “probably one of the worst invasions of privacy someone could experience”. It was also claimed he had stalked two people online for more than ten years.

Cluley said: “In the Chaney case, the stars had their email accounts hacked, and they were being altered so that somebody kept being forwarded their data even when the password changed.”

He said that the obsessive behaviour of those who try to hack such accounts was like “butterfly collectors”. “They just like to collect this stuff. Perhaps what has happened here is that someone stumbled across a stash of these accounts and logins on somewhere like Dropbox. Or they have been at work for a long time to get at them. Or they hacked someone’s email account and got at their address book, and then phished other people. My suspicion is that this isn’t an iCloud security flaw as such.”