‘Fappening’ celebrity nude leak suspect alleged to have hacked 572 iCloud accounts

“The man suspected of hacking celebrities’ iCloud accounts last year and posting their revealing photos online, in what became known as “The Fappening”, allegedly found his way into as many as 572 iCloud accounts,” Thomas Fox-Brewster reports for Forbes.

“According to a recently-unsealed search warrant and affidavit, US law enforcement have tracked the attacks on Apple customers back to one IP address, based at the Chicago residence of one Emilio Herrera,” Fox-Brewster reports. “That IP address was used to enter those compromised accounts 3,263 times between 31 May 2013 and 31 August 2014.”

“It’s odd that one IP address could have been linked to accessing that many accounts without a warning going off at Apple,” Fox-Brewster reports. “That’s if there are mitigations to flag this kind of suspicious activity.”

Read more in the full article here.

“The affidavit for the first time confirms the scope and authenticity of the picture leak — ‘female celebrities’ are listed as victims, though by initials only: ‘A.S., C.H., H.S., J.M., O.W., A.K., E.B., and A.H,'” Sam Biddle reports for Gawker. “These initials presumably refer to Abigail Spencer, Christina Hendricks Hope Solo, Jennette McCurdy, Olivia Wilde, Anna Kendrick, Emily Browning, and Amber Heard (though we could be incorrect).”

Biddle reports, “A still-sealed affidavit obtained and reported by the Chicago Sun-Times refers to a J.L., presumably Jennifer Lawrence, the breach’s highest-profile victim: ‘The agent described one interview with ‘J.L.’ that he had to stop because she became ‘very distraught.’ ‘J.L. stated she was having an anxiety attack and was visibly shaken,’ the agent wrote.”

Biddle reports, “It’s clear now that the celebrity iCloud heist was done through the oldest (and most reliable) method of online malice: phishing emails and a password reset.”

MacDailyNews Note: Too many people use one password for multiple services and weak passwords at that. Once hackers guess that password, they then have access to all sorts of things: cloud storage, bank accounts, Facebook, Twitter, email, etc.

Regardless of the origination of these photos and videos, social engineering hacks can be thwarted, at least for iCloud. Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.

Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.

SEE ALSO:

iCloud accounts at risk after hacker releases tool allowing access to any login – January 2, 2015
Jennifer Lawrence calls nude photo hacking a ‘sex crime’ – October 7, 2014
Apple’s iCloud security nightmare gets worse as more nude celebrity pics leak – September 21, 2014
Since the celebrity nude iCloud hacks, one third of Americans have improved their online security – September 8, 2014
Apple denies iCloud breach – September 3, 2014
How easy is it to crack into an Apple iCloud account? We tried to find out – September 3, 2014
Celeb nudes: Comprehensive review of forum posts reveals no mention of ‘Find My iPhone’ brute force technique – September 2, 2014
Apple’s iCloud is secure; weak passwords and gullible users are not – September 2, 2014
Apple: No iCloud breach in celebrity nude photos leak – September 2, 2014
FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos – September 2, 2014
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014

29 Comments

        1. Beyond not getting it… I never heard of Apples’,
          2 Step Verification.

          1) Keychain access – happens on a Mac automatically – No?

          In fact if you re-locate your mac and connect to the internet with a different service provider (example you move and use Bell rather than Rogers) the Keychain access – see that you are connecting to your Apple ID and in the email Apple notifies you that you have in deed opened your account from a new location.

          2) iCloud Keychain, occurs if you log into your email account say from you Mac or PC at work.

          So – some one please explain how the 2 Step is to occur?

          At home I have entered all info into my Apple account settlings for Mail. Does this but any 2 step access into place — not that I know of.

          I can see where troubles may occur. If people happen to start to use say an Android phone and happen to setup access to their Apple ID email account using these phones – might place you in jeopardy as I can not think an Android phone would know what to do with an iCloud keychain or Keychain.

          Please advise… I am sure I am wrong about all this… yet I still do not understand 2 Step Access. That would suggest that my password + keychain access + iCloud keychain is more like a three step security method.

          1. okay – thx MDN for the Apple link to 2 Step Verifications.
            Yes it would be nice that it is set by default – it seems it is a little bit of a hassle though, to first enter your password and wait for Apple to provide a security clearance code to your trusted device.

            However, lets say your only device is your Desktop computer. Can this be my trusted device? Have not found an answer.

          2. Why my concern for this 2 Step access.

            This information comes to me at a good time or maybe not.
            Two days ago, I was attempting to update Mac software that I had purchased on App Store. The software Glyph, is no longer available on the App Store. In order to obtain the free update, the vender requested I provide an original receipt. First I checked my email for receipts from Apple… like one gets when purchasing iPad apps from iTunes. Nope, no record. So, I had to access my Apple ID account and did so through App Store. Makes sense, right. However, no record of my purchase located there either. Funny, I found it in iTunes. Why there? Anyways, I found some record there. Plus a few in game purchases that I had not made due to the fact that I don’t play those games and never accept in app purchases. Strange, nevertheless, my credit information has been removed many many months prior to this occurrence. I add my information to my ID before I make App Store purchases then remove it later on. Continuing, I took a screen shot of the iTunes purchase record of Glyph. Sent it to the vendor/developer and got my update download almost immediately. Faster than Apple could provide me with a copy of my receipt. Yeah, okay so whats the issue Sir?
            Blah blah boo hoo..

            Just yesterday, in my email I received a notice… at first surprised, and waited for a good while as the image built on my screen of two people in blue shirts with the white apple logo appeared. It stated,

            “Dear Apple Client
            We inform you that your ID will expire in less than 24 H.
            it is imperative to conduct an audit to your information otherwise your ID will be deleted.
            Just click on the link below and log in to your ID and follow the instructions”

            (yes, typed as given)
            with a blue button, “Confirm my Account”,
            and copyright ©Apple 2015 Inc. All rights reserved

            At careful look, the email is from: Apple update@iTunes.cam
            Subject: Update Your Account Information !
            Date: June 9, 2015 at 4:20 AM
            To: me… correct email ofc

            SO the sender tried to appear as if from Apple.
            Also, if I hover my mouse over the blue button, it shows the url as”http://tinyurl.com/account-updatter

            —– any suggestions?

            I would love to setup 2 Step verification.
            However, I wonder if I have a virus or lets say the image loaded in to Mail granted a Key logging micro app to jeopardize my Apple ID even if I re-create a password or obtain this 14 digit recovery code.

            1. That email is a phishing scam (google it if you don’t know what it is).

              Two-step verification is a system that requires you to use two independent steps when logging in. First you type your iCloud user name and password. iCloud will then automatically send you a text message with a special one-time verification code. When you receive it, you type that code into the verification screen and only then you are signed in. That way, if someone else figures out your iCloud password and tries to log in, they won’t be able because they’ll also need the code, which they can’t get (you’ll be receiving it on your phone). This also means you will instantly know when someone else tired to log in with your password: you’ll be getting a SMS text with the verification code. They still won’t be able to log in, but at that point, you should be able to log in yourself and change the password.

            2. SUGGESTION: (strong)
              DO NOT RESPOND TO ANY EMAIL ASKING FOR ANY CREDENTIALS !!!! go directly to the source for any changes, surf to the actual web page of the actual resource to verify anything, especially passwords or hints or… ANYTHING

              DO NOT CLICK ON LINKS IN EMAIL LIKE THIS

        2. Two step should not be on by default. With two step you need the code Apple provides or you can never again get into your account should you forget your password. Many many people would make these accounts and lose the code. You can not use security questions or email alone to recover the password on these kinds of two step accounts.

          These accounts are great for those with the ability to keep the code secure. They would not be ideal for the general public and should not be the default.

            1. That would defeat the purpose of two step verification. Also, once Apple gives you that code, they literally don’t have the ability to reset your password. Only you do. That code is the encryption key to your account. It’s a great thing for those who need it but not for the general public.

              This attack on these celebrities might not have even been stopped by two step. They willing gave up their info to a phising site/email. If they’re naïve enough to type their password into whatever email they happen to get, they might just as easily type in their two step code.

            2. It wouldn’t work that way. Let us assume that the passwords were obtained by phishing. The hacking web site would then need to be developed to automatically try to log into iCloud the moment user has sent the login information to the hacking site. Then it would have to wait for iCloud to send that verification SMS to the user, and user would now have to enter the code from the SMS back into the hacking site, and then the hacking site would have to enter the code into the real iCloud verification field. If I understand correctly, both of steps on the real iCloud site need to be done by a real human (and not an automated robot).

          1. Well said. True.
            Here is another suggestion.
            Any information that the general public needs to keep secure, do so with a different Apple ID and secure it with the Two Step method.
            For all other purposes make a second or third account, be free of any credit info.

  1. “…interview with ‘J.L.’ that he had to stop because she became ‘very distraught.’ ‘J.L. stated she was having an anxiety attack and was visibly shaken,”
    Aww…bless…poor little thing is just an innocent victim..
    I was ‘visibly shaken’ by her pics too 😎

      1. When you wilfully give your password yourself to the culprit, it is not hacking, it is phishing, a fraud. There is nothing to hack, system was secure and reliable whole time and never compromised.

        Similar how if you give car key to a parking jockey but he instead steals the car, you are not going to say that “the thief broke through car’s Lockcraft door lock”.

    1. Where Apple became part of the problem was during the period of time when their protocols allowed a hacker to pretend to be the user and request an account reset, or requested the stolen devices password, or a couple other possible slips. That’s way over at this point!

  2. Let’s keep things in perspective. This was not the fault of Apple. And Apple was not the cause.

    Instead, the public should direct its derision and ridicule on the basement-dwelling, misogynist loser behind all this. Put his photo on the front pages and call him out for the sick creep that he is.

    Better yet: have the women he humiliated take their turn at him. Shaming the idiot is the least we can do.

  3. It pisses me off everytime when regarding to iCloud someone advises to use 2 factor authentication. Like it is something elementary available for everybody like google 2 factor auth.

    Lack of 2 factor authentication is a major factor I do not use most iCloud services even the basic ones and never will unti Apple will come out with a solution.

  4. I have to add:
    1) The ‘Fappening’ was NOT merely the work of one person. The cracked iCloud accounts came from MANY sources. The images were dumped online by those many sources over a long period of time, not just one event.
    2) We’re only talking about one person who became the focal point because he collected the various images and made them an event online. Call him ‘The Fappener’.

    Happily, the message has gotten through that this robbery of data and images from these accounts was NOT (entirely) Apple’s fault. It’s a case of:
    A) LUSER behavior, whereby the victims somehow allowed the account hacking to happen through their own actions, however innocent or ignorant.
    B) Phishing (mostly). This goes on every single day! I turned in two phishing attack emails just this morning. One to PayPal, another to Apple. Recently I sent in other phishing reports to Facebook, Barclays and LinkIn. Getting sucked by then is entirely avoidable. But it does require user education.

    As for multi-factor authentication: It’s supposed to be dead simple. But clearly, at this time, it is NOT. I personally have messed up setting up two factor authentication correctly, not realizing at the time that my cell phone needed to first be setup for SMS messages. Oops. The repercussions were beyond my comprehension. Apple helped sort it out. But along the way I found a lot of people within Apple that found it all too confounding as well. We ALL need some personal adjustment and fine-tuning to get multi-factor authentication to ‘just work’.

  5. Strange a few months ago my keychain for no apparent reason seemed to lose its memory or its record of nearly all my passwords for all of my various sign ins universally, so I had to rely on my written records some of which weren’t up to date because I expected it to Simply work like a Dream. Stranger still recently it seems to be able to remember them again for no apparent reason. During this period I haven’t done anything I am aware of, to change any setting or downloaded any system update. Can’t say it gives me the Confidence to simply rely on my Mac to organise such things I’m afraid anymore.

  6. I recall reading that it was also due to crummy security questions by the celebs themselves.

    e.g. I might be safe using my mother’s maiden name or the city of my birth as my security question. “J. L.”, “A. H.”, etc. probably need to think a little harder about what info is out there.

    Also, I recall that the one individual that really started the ball rolling was initially asking for money, and then got into a snit because people weren’t donating. He mentioned that he had paid a lot for those photos. In other words, he bought them from other people. He didn’t do all the hacking himself. (I’ll assume “he” for the sake of discussion.)

  7. The document lists other victims by initials who are believed to be Abigail Spencer, Christina Hendricks, Hope Solo, Jennette McCurdy, Olivia Wilde, Anna Kendrick, Emily Browning and Amber Heard, Gawker adds. The mass leak was branded ‘The Fappening’ – a slang term for masturbation and play on apocalyptic movie The Happening.

    No one has been arrested, or charged in the on-going investigation, which suggests that the seized computers may themselves have been hijacked from another source. It is unlikely that someone capable of carrying out this hack would use their own IP address.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.