Naked pictures of Jennifer Lawrence and other celebrity starlets leak online

Graham Cluley
Graham Cluley
@[email protected]

Jennifer Lawrence Nude photos of Hollywood stars, including Oscar-winning actress Jennifer Lawrence, are being shared widely on the net following what some are calling an “iCloud hack”.

More than 100 celebrities, including “Hunger Games” star Lawrence, Kate Upton, Kim Kardashian, Cara Delevingne, Vanessa Hudgens, Kirsten Dunst and Ariana Grande are alleged to have also had their private snapshots and, in some cases, videos published for anyone to see on the internet.

Jennifer Lawrence’s management team issued a statement, saying that they would pursue whoever was responsible for the leak, and warning others not to distribute them:

“This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence.”

That seems like a reasonable response to me – too many celebrity websites seem to think it’s okay to publish private photos of female stars that have clearly been accessed illegally. Remember the media activity when naked pictures of film actress Scarlett Johansson were stolen by a hacker a few years ago?

Surely some of these actresses and pop stars have enough pressure on them to maintain a certain body image, with the requirements to exercise constantly and barely eat, without the additional stress and embarrassment of knowing that amateur intimate and private photos are being leched over by strangers.

Sign up to our free newsletter.
Security news, advice, and tips.

But what’s most interesting to us is – what are the security lessons here?

Here’s a quick Q&A:

What has happened?
Hundreds of photos, and some videos, have leaked onto the net of a wide range of actresses/models/whatever. Links to the images have been widely shared on sites like 4Chan and Reddit.

Celebrity list

When did this happen?
Well, links to the images started appearing yesterday online… but it’s unknown when the security breach occurred.

A tweet from one of those affected, actress Mary Winstead, implies that the photos that have been leaked of her were taken years ago and then deleted.

Mary Winstead tweets

To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.

Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.

Remember, even if a photo has been deleted from your physical phone – it might still exist somewhere in a backup.

It’s possible that whoever collected the naked images has been doing so for some time, and amassing a collection for his or her own entertainment for quite some time. If naked images of celebrities are your bag, it’s possible you would curate quite a large “butterfly collection”.

Are all the photos genuine?
Some of the photos are faked. Others do appear to be genuine. The quote from Jennifer Lawrence’s representatives, for instance, confirms that the images of the actress have been stolen.

Was an Apple iCloud hack responsible?
We don’t know. There have been claims that iCloud may be involved, but it’s tricky to confirm even if all of the celebrities affected use Apple devices.

Many folks are blissfully unaware about iPhone photos being automatically sent to an Apple iCloud internet server after it is taken. That’s great in some ways – it means it’s easily accessible on our other Apple devices – but might be bad in others.

Even if they were all using iCloud, it’s possible that there isn’t a security hole in iCloud itself but rather that celebrities had not properly secured their accounts with – for instance – hard-to-guess passwords.

So, if they had a hard-to-guess password, they would have been safe?
Not necessarily. After all, they could always have been phished or have shared that password with one of their assistants or have used the same password somewhere else on the net.

All this, of course, depends on knowing your target’s email address in the first place. The email addresses of celebrities aren’t, understandably, easy to determine – but if one celeb manages to get hacked their address book might be a goldmine for hackers who wish to widen their attack.

Also, in the last few days proof-of-concept code has been shared online which claims to brute force iCloud accounts – although it’s hard to believe that this could have been successfully used against a wide number of accounts without detection in a short space of time.

Proof of concept code

Apple has now reportedly prevented the code from working, although it’s important to stress it has not been confirmed that this was involved in the celebrity hack.

How else might they gain access?
Many sites give you a “Forgot your password” option, or ask you to jump through hoops by answering “secret questions” to prove your identity.

However, in a celebrity’s case, it may be particularly easy to determine the name of their first pet, their birth date, or their mother’s maiden name with a simple Google search.

This is why you should never answer those “secret questions” honestly, but instead make up an answer. That explains why my first pet was called “4CxZnn9P”.

A further possibility is that celebrities might have (knowingly or unknowingly) given access to their accounts to other users. In the case of celebrity hacker Christopher Chaney – who pleaded guilty to hacking into the Apple, Gmail and Yahoo accounts of starlets like Scarlett Johansson and Mila Kunis in 2011 – he automatically forwarded any email the hacked celebrities received to an account under his own control.

What about two-factor authentication?
If available, always enable two-factor authentication (2FA) on online services. 2FA makes life much harder for hackers attempting to hijack control of accounts and devices, as it means they require more than just your username and password. They also need a one-time password (OTP) that is sent to your device itself.

Apple two-factor authentication

Unfortunately, Apple although has had 2FA since early last year, it has been slow to bring it to iCloud accounts. It would be great to see Apple make such protection mandatory, rather than an opt-in choice for the few who even know about it.

You can learn how to enable Apple’s 2FA protection here.

In my mind, the lack of two-factor authentication is likely to have played a critical part in this security breach.

No doubt there will be more to learn about this case in the coming weeks. Watch this space… and don’t forget the most important question of all:

I’m a celebrity. How do I stop hackers from stealing my naked photos?
Simple. Stop taking naked photos of yourself.

In fact, that’s good advice for the non-celebrities too.

The only photos that can ever be stolen from you are the ones that you take. Take no nude photos and you’re safe.

Cut out and keep reminder

If you really *must* take a nude photo (and ask yourself – WHY must you do that?), maybe it’s unwise to have it anywhere other than on your phone.

And at least keep your face (and any distinguishing tattoos) out of shot.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Naked pictures of Jennifer Lawrence and other celebrity starlets leak online”

  1. scallywag

     Assuming the photos are real or appropriated, the question is how can any celebrity expect to challenge the internet, the message boards and claim that the photos can not be duplicated? Which is to ask at what point when an individual chooses to store material that can be uploaded on an Apple Icloud service (who then claim ownership) and then somehow disseminated be expected to retain rights over those photos, especially when they are in the business of being a public figure- which is to ask legitimately how much rights does a public figure have of their image and how far can they actually go to control it, never mind the illegal means which said photos were retrieved….

    1. Jay · in reply to scallywag

      According to the Reddit posts and a few articles I have read, it seems that once a celeb has taken a pic, it is their's and they hold the copyright to it automatically. Meaning, when someone steals it and leaks it, that means the "hacker" is in violation of not only her privacy but her copyright.

  2. JBL in SoutheastAZ

    It's not the taking of nude photos that's so bad, it's the sharing. I would never take one on my phone or tablet, because it's so hard to be certain that some kind of archiving or sharing isn't happening, or that some future malware wouldn't steal stored photos. If you want to take nude pictures, use any one of the many available snapshot or full-featured digital cameras that are NOT internet-enabled, and guard the memory cards carefully (and don't put them into a networked computer either).

  3. Joker

    To be honest why take them on your phone or tablet.. serves them right buy a camera store them on a SD card… if you synced your phone to the cloud then it's your own fault… I mean if y'all want to take pics like that put them on I don't know hhhmmmm a portable camera or a SD card why keep them on your phone… why take pics like that and then choose to keep them lol I know y'all are rich and can afford a camera or a SD card heck most phones cone with a SD card or hey ever heard of a gallery lock app it locks things on your SD card or phone like it is not on your phone… honestly why grip about something you caused cause y'all were stupid enough to keep them on your phone or upload them to the cloud… hhhmmmm they can't truly be mad at anyone or embarrassed about anything that they caused… this is bound to happen considering hackers are everywhere I did hear about it but never viewed them cause I'm not a pervert but to be honest laddies acting school should teach more than just looking good on camera and making sure your lines are right… they should also teach common sense and that's all I got to say about this… stop crying or getting upset over something y'all caused this is america I'm sure y'all have heard of hackers when they get bored they do something to entertain them self's… but if y'all kept them on your phone or uploaded them to the cloud and didn't erase them or safe guard them… then the real person you should blame is yourself…. on that note sorry it happen sucks but its a lesson learned bet you won't make that mistake again…. later. Joker aka Hustler

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.