The Jennifer Lawrence Leak: Who Is at Risk Now?

PHOTOGRAPH BY ANTONIO DE MORAES BARROS FILHO / WIREIMAGE / GETTY

How does one describe 4Chan? Once an anime-themed image-sharing Web site, 4Chan has become a home for all sorts of graphic, disturbing, and offensive images and—as David Kushner writes in this week’s magazine—a breeding ground for the anarchic pranksters who helped to form the hacker group Anonymous. On Sunday, a 4Chan user (or, more likely, a group of users—details are still unclear) added another entry to the site’s troubling litany when, after some haggling for Bitcoin payments, he or she uploaded a large cache of celebrities’ private images, including nude photographs of the actress Jennifer Lawrence and the model Kate Upton.

The leak made it to the link-sharing site Reddit around dinnertime, where it found an audience in the hundreds of thousands. It also found a name—the Fappening. (“Fap” means masturbate.) Reddit is divided into communities called subreddits, which spring up more or less organically. By midnight on the East Coast, the Fappening subreddit had become one of the fastest-growing subreddits of all time. At any point on Sunday night, upward of a hundred thousand people were searching through 4Chan, Reddit, and the image-hosting site Imgur for the stolen content.

What differentiates this celebrity phone hack from others is the sheer number of images that were released. In addition to what was uploaded, there was a list promising nude photos and videos of about a hundred other celebrities. (A few years ago, Scarlett Johansson and Blake Lively had their phones hacked and their photos leaked onto the Internet, but those instances were the work of a single person working on a single account.) The scale of Sunday’s leak, and the suggestion that there may be hundreds more images and videos to come, suggests something new. “Usually, someone finds a way into someone’s phone and releases one set of images,” Matthew Green, a professor of computer science at Johns Hopkins and an expert on information security, told me. “This time, everything came down at once.” No one knows exactly how the hackers got the images, but Green laid out two possible scenarios. The first, and more frightening, possibility is that someone found a way into iCloud and took a leisurely stroll through millions of uploaded private photos, picking out images of celebrities. The second scenario, far more likely, is that a hacker exploited a flaw in the Find My iPhone app (Apple’s way of reconnecting customers to lost phones and their iCloud accounts). As protection against so-called brute-force scripts, which cycle through a large number of possible passwords, the majority of sensitive, heavily secured sites—including most banks and social networks—boot you out after a few failed log-in attempts. Find My iPhone had no such protection. (As of Monday morning, Apple had patched the flaw. In a statement to the tech Web site Recode, a company spokesman said, “We take user privacy very seriously and are actively investigating this report.” )

All of this, of course, is speculation. Green cautioned that there’s still no proof of a large-scale iCloud break-in, or that the images were ripped from the servers all at once. To that point, Gawker reported Monday morning that people on the image-sharing board AnonIB have been discussing these images for a number of weeks, suggesting that they may have been collected over a stretch of time. And, while a comprehensive hack of iCloud is certainly within the realm of possibility, Green notes that, so far, nobody has taken credit for it. “Usually, in these cases, someone will brag about it, and say, ‘I hacked iCloud,’ and put up evidence,” Green said. “So far, I haven’t seen any of that.” The worst-case scenario, in which everyone who has an iCloud account has been exposed, seems somewhat improbable. “It’s possible different sets of released photos leaked from different sources at different times, so we’re not even sure that this reflects a single attack,” Ed Felten, a computer-science professor at Princeton, wrote in an e-mail. “It could be that the perpetrator has been collecting images over time, from different sources.”

This targeted approach, in which a hacker focusses on one account, doesn’t mean that all non-celebrities are safe from an attack. If you go to the “obtained pictures” section of the AnonIB Web site (please don’t), you’ll find the e-mail and iCloud addresses of dozens of women who are not in the public sphere in any way. When the hackers who patrol the board and advertise themselves as “iCloud rippers” find a way to access the targeted images, they tag them as “wins” and post them on the board. Before Apple’s patch this morning, all that it really took to access your uploaded iPhone photos was a motivated poster who had your iCloud address and access to the brute-force script.

The larger security problem, it seems, comes from a general misunderstanding about how a smartphone differs from, say, a large online forum. Most discreet people know not to upload nude photos onto the Internet but are unaware that a photograph shared privately, through a text message or e-mail, is hardly private at all. “Storing data on a phone carries an inherent risk,” Felten wrote. “The complexity of the software on our phones, and the network and cloud infrastructure to which they connect, makes it difficult to identify, let alone secure, all of the points of vulnerability. It’s prudent to assume that anything on your phone is potentially at risk.”

During the past few years, smartphone and app companies have gone to great pains to make our devices feel safe and private. The amount of personal information stored on smartphones, and, by extension, the cloud, is in odd contrast to the vague, general anxiety that arises whenever photographs leak. For most people, it seems that convenience and ubiquity ultimately win out. “We use our smartphones almost like they are part of our brains,” Green said. “I don’t think people realize how much of themselves they’re giving to Apple, and potentially to hackers.”