Everyone likes a good mystery, and the best one around right now involves the leak of hundreds of celebrity nudes onto the internet. The prevailing theory is that some hacker cracked Apple's iCloud service and then uploaded the nudes to the image-based bulletin board 4chan. We suspect that's not what happened, for reasons laid out below. It's a little involved, but the actual story here, as far as we can put it together, is a lot more interesting than it initially seems.
The first thing we're certain of is, obviously, that a person or persons unknown acquired a collection of nude celebrity pictures. When and how they did this, though, are pretty open—and important—questions. Some of the leaked photos were taken fairly recently; metadata in one photo of Kate Upton, for example, dates it to April of this year. Others, though, weren't. Actress Mary Elizabeth Winstead has said that photos of her were taken years ago, and that she'd long since deleted them.
The fact that at least a few of the photos are years old and since-deleted—not to mention that, according to a tipster, most methods of hacking an iCloud account require physical access to a phone—suggests that they were not obtained in a one-time smash-and-grab hack, but were, rather, collected over a period of time, perhaps years. (Common sense also argues against the iCloud hack theory: Even supposing that a master hacker got access to Apple's backend, it wouldn't follow that he could just pull up celebrities' phones via keyword search, and it's not clear why such a hacker would go for nudes rather than market-moving or politically sensitive information from the phones of financiers and politicians. And then there's this intriguing claim that at least one of the hacks may have involved Dropbox, rather than iCloud.) All of this suggests two alternate possibilities for the technique the original hacker(s) used:
- It's possible, and perhaps likely, that he (or they) went at these phones with sheer brute force, the way Christopher Chaney, the hacker sentenced to 10 years in prison for illegally accessing the online accounts of several famous women, did.
- The fact that by far the easiest way to acquire these photos would be to have password access to devices on which they were stored, and the fact that they seem to have been collected over a lengthy period, suggests that a person, or people, with access to these devices could be the culprit. Who that might be—a shadow network of disaffected personal assistants? a horndog ring of Apple Store employees? a cabal of pervert agents?—we have no idea.
However the photos were acquired, a tipster tells us that a couple of weeks ago, someone was offering them for sale on Tor sites. (These are anonymously held, secure sites, and the person selling them was apparently asking for payment in untraceable Bitcoin.) This is interesting not least because it would vastly widen the circle of people who had access to the photos. Last night, for example, we told you the curious story of how a couple of weeks ago, a Deadspin reader was offered the very pictures that leaked on Sunday in exchange for nude pictures of his girlfriend. At first, we wondered if this might not have been the original hacker, using the pictures he had access to to acquire more pictures. Since this offer appears to have been made after the pictures were already up for sale online, though, it seems much more likely that he's just a random person who bought or otherwise acquired them, and then used them for his own purposes.