September 3, 2014

Uncovering how the recent celebrity image breach happened

This weekend close to 700 highly personal photos of more than 25 celebrities were leaked publicly.  We looked into the origins of this dump and the files inside it to shed some light into how they got there, particularly to understand how best to protect users against this sort of crime in the future.

The background story

Rather than a single dump of images this was several leaks all of which took place over the 2014 Labor Day weekend on two sites: 4Chan and its sister site, AnonIB. Both are notorious. Created in 2003 as a site to swap Japanese Anime, 4Chan was modeled after the BBS’s of the 80s and 90s. Like those BBSs, the idea was to create a place where people could hang out, trade images and chat. However armoured by one of its founding principles – anonymity – it soon became a haven for everything from art to pornography and political protest.

The series of dumps known as “The Fappening” actually started on August 26, 2014 on AnonIB in a discussion thread dedicated to images of Jennifer Lawrence in a sub-forum dedicated to pictures of celebrities ”/C/”.  In that thread a poster claimed that AnonIB’s sub-forum dedicated to stolen photographs was sitting on a hoard of explicit celebrity pictures.


By Saturday, August 30, this had devolved into an argument with several posters stating that they didn’t believe a “hoard” like this existed.

3 p.m. on Sunday, August 31, a poster retaliated by posting a directory listing to the supposed archive and just a few hours later, images supposedly from this archive started to appear on both sites. Initially pictures of Jennifer Lawrence and Kate Upton, but later that day someone claiming to be the publisher threatened that he would release all 120 Celebs photos if enough donations were sent to his bitcoin address. When disbelievers called him on it, he proved his access by dumping pictures of whichever celebs they asked for.

Image 1.5

After dumping a few images, the leaker (or an imposter) posted again asking for donations to a different bitcoin address — in fact a separate one was set up for each celeb. When that celeb’s wallet reached an acceptable level he would post the images. At this point a number of other posters started to claim that they too had celeb images and posted their own bitcoin addresses asking for money.  In parallel, the leaks gathered pace. As donations were received, whether by the original poster or imposters, images were leaked. This is why the final collection is such a mixture – there were multiple people leaking at the same time.

How did they get the pictures?

As it became clear that the “leak” was actually a collection of images from several people, it also became clear that there were many sources for the images. Some of these images appear to be stills or snapshots taken from a wide range of publicly available videos and films. Others appear to be fakes either doctored or by using “look-a-likes”. However a significant percentage of them appear to be exactly what the original leaker claimed – intimate photos stolen from celebrities.

Looking at advertisements posted in “/stol/” – the AnonIB stolen image forum – reveals it to be a marketplace, full of posters offering to “RIP Clouds,” the act of extracting data from a user’s iCloud backup.

Image 3



Like all marketplaces there appears to be a wide spectrum of skills available. Some required the user’s AppleID and Password in order to “Rip” their cloud data, while others need only the users AppleID.  Some also offered the service of infecting the target’s computer with a “RAT” or Remote Access Trojan. A type of malware that allows an intruder to control the victims computer remotely, spying on them through their webcam or accessing any private data on the machine.

In order to expedite their attacks, these attackers use a number of tools ranging from commercial password recovery tools such as Elcomsoft’s “Phone Password Breaker” to well known hacking tools such as “Jack the Ripper” on hardware built specifically to accelerate the cracking process.


Yesterday Apple released a statement stating that it did not appear to be a specific vulnerability in their services. Rather, these users were victimized as a result of their passwords being exposed.

There is an entire ecosystem ready and waiting to exploit anyone whose password they get.

One other thing that we discovered in our investigation is that while two-factor authentication is a strong security control which protects services, sometimes it’s not exactly clear which services are protected by two-factor authentication when you enable it. During our testing, we enabled two-factor authentication on our test Apple account to see what the user experience was like.

We found that in Apple’s case, two-factor authentication is only required in 3 very specific cases:

  1. When you sign into your “My Apple ID” to manage your account.
  2. When you make a purchase from a new device.
  3. When you get Apple ID related help from Apple.

Signing into iCloud in order to access say, your backed up photos, does not require two-factor authentication.  In this case, enabling two-factor authentication would not have helped anyone involved in this latest leak. This is an oversight on Apples part, consequently we have reached out to them suggesting that it would be a better, safer, experience for users if they extended two-factor authentication to any service that exposes sensitive user data.

How to stay safe
While investigating this we didn’t find any sign of skills beyond brute force attacks against accounts or the installation of RATs and spyware on victims computers. What this means is that there are some clear recommendations that will enable you to stay safe.

1) Ensure that you have a strong, complex password with at least 8 characters, using letters, numbers and special characters (or at least 3 short words concatenated in an unusual way).

2) Enable two-factor authentication (also known as “two step authentication”) on any services that offer it. With two-factor authentication enabled it doesn’t matter if an attacker finds your password or steals it from you because without the additional token provided by the two-factor authentication software they will not be able to log in. However, as mentioned above, simply enabling two-factor authentication may not be enough. Check with your service provider to identify which services are protected by two-factor authentication when it is enabled, and which ones are not.

3) Ensure that you have up to date antivirus as your front-line defence against malware like spyware or Remote Access Trojans.

Leave a comment