And what we don't
More explicit photos were posted on the website 4chan Saturday, this time purportedly showing Kim Kardashian, Vanessa Hudgens, Mary-Kate Olsen, Hayden Panettiere, Kaley Cuoco, Hope Solo and an underage Disney star, among other female celebrities.
Previously unseen photos purportedly showing Jennifer Lawrence, who became the face of the last major celebrity photo hack, were posted, too. The photos quickly spread from 4chan to Reddit, following the same pattern as the previous hack, which leaked private photos of Lawrence, Kate Upton, Ariana Grande and almost 100 other female celebrities.
Here’s what we do and don’t know about the latest nude celebrity photo hack:
Are the photos real?
At least two of the hack’s victims have confirmed their leaked photos are, in fact, real.
Actress Gabrielle Union told TMZ on Saturday that her photos were intended for only her husband’s eyes, and slammed the hackers’ insensitivity. “It has come to our attention that our private moments, that were shared and deleted solely between my husband and myself, have been leaked by some vultures,” Union said.
On Sunday, Actress Meagan Good released a statement on Instagram, saying “I’m definitely in shock… Saddened for everyone who is experiencing this… But I ‘choose’ not to give the persons responsible my power.. At the end of the day—We all know these pictures were for my husband.”
In the last celebrity hack, many victims confirmed that the photos were indeed authentic. Cuoco, whose photos were also released in the previous hack, said Thursday on Jimmey Kimmel Live! that she was disturbed to realize the photos were real, but ended up making a “joke about it,” because “you have to make fun of yourself.” Other reactions were less lighthearted: Lawrence’s rep called it a “flagrant violation of privacy.”
What about the other celebrities?
Most have not released statements, or have declined to speak. A rep for Kardashian has declined to comment about the leaked photos to multiple publications. There’s also no word from Panettiere, Olsen, Solo or Hudgens.
But many are wondering about Hudgens, and what approach she’ll take now that she’s not the young Disney starlet of the High School Musical franchise. In 2007, after being shamed for a leaked nude photo, the 18-year-old actress apologized to fans, while Disney followed up and told People that “We hope she’s learned a valuable lesson.”
How did it happen?
No one knows yet, but experts told TIME they believe it’s similar to the last celebrity photo leak, when Apple confirmed that it was a “very targeted attack on user names, passwords and security questions,” and a not system-wide breach of iCloud or Find my iPhone, as was first widely believed. (TIME has reached out to Apple for comment regarding the most recent hack.)
Bob Stasio, Vice President of Threat Intelligence at CyberIQ Services, said the most probable cause is that hackers obtained access to photos by answering security questions to recover or reset passwords—a common tactic and the one apparently used last time. Last year, Michelle Obama’s and other celebrities’ financial records were accessed by hackers who knew enough personal identifying information to impersonate them, according to CNBC.
“The problem with celebrities is that a lot of their information is publicly available,” Stasio said.
Once the passwords have been reset, the hackers can access the celebrities’ e-mail accounts to obtain the passwords to enter iCloud. Hackers will have previously gained access to the stars’ computer servers, thus their e-mails, either physically or remotely through backdoors planted in their systems, Stasio said. These backdoors may have been planted through targeted emails that tempt the users to click on a link or download an attachment.
“That’s really how hacking works,” Stasio said. “It’s all very iterative. You get to one spot, and you have to get to the next spot.”
Can the hackers be found?
They haven’t been found yet, and security experts believe it will be difficult, but not impossible, to track down the hackers. If iCloud accounts were accessed, then Apple can use a record of logins to determine the IP address, Stasio said. But hackers would likely hide their IP address by routing through a different one in another country, which complicates the process. Another method would be to track who had originally posted the pictures on 4chan.
In fact, experts say photo-leaking culprits are often caught, and the fact that both Apple and law enforcement are already involved make the investigation even more likely to turn up results. In 2011, for example, a hacker used the “forgot my password” function to access and leak nude photos and other personal information of Scarlett Johansson, Mila Kunis and Christina Aguilera. An FBI investigation resulted months later in a Florida man being sentenced to 10 years in federal prison, according to CNN.
“The success rate is very high. People doing this are very foolish, thinking they’re going to get away with it,” said Phil Lieberman, President of Lieberman Software Corporation. “For a period of time, they’re the hero. Once they’re caught, they’ll become the zero.”
So why haven’t we found the hackers yet?
In short, it takes time.
“If someone’s life is in danger, law enforcement moves very quickly,” Lieberman said. “But pictures of celebrities don’t rise to the level of kidnapping, murders or serious violent crimes. They’re seen more as economic crimes or invasions of privacy, which are serious, but go on a little slower track.”
Moreover, the fact that Apple’s weak iCloud security was patched only recently means that several intruders may have been in the system for quite a while, experts said, which would add additional layers to the investigation.
Will it happen again?
Experts say yes: This is the second major celebrity photo hack in one month, and it’s part of a rising trend. When Target was hacked last year, Stasio said, a group of hackers sent e-mails to other companies saying they’d detected a similar vulnerability, offering help through a clickable link, which, if opened, would’ve infected the company’s system.
“Not only have the trends of the actual hacks spread, but people use the awareness of the hack itself to try to use it as an infection,” Stasio said.
And there’s likely more photos that have been accessed but not yet shared. Lieberman said that for hackings in the commercial world, the average time the hacker or hackers have spent in the system is 200 days. This suggests the intruders could’ve had months to amass a large collection of explicit photos.
“This may not even be different than the first one,” Lieberman said. “This may in fact be the same group of people with the same set of data, just simply taking another bite of the apple.”