Jennifer Lawrence and others phished, not hacked, Apple says

This image was removed due to legal reasons.

Hackers didn't obtain nude photos of A-list celebrities like Jennifer Lawrence and Kate Upton because of a serious iCloud vulnerability. They did it through good old fashioned phishing, Apple claims.


The leading theory of how a group of hackers accessed the private photographs of more than a hundred Hollywood celebrities was they used a script called ibrute that exploited the "Find my iPhone" service by automatically guessing the password of their victims multiple times until it got the correct one.

On Tuesday, Apple denied the claim in a statement. Instead, the company said, the photos were accessed through "a very targeted attack on user names, passwords, and security questions." In other words, the celebrities were most likely duped into giving away a password or key information that gave hackers access to their accounts.


But why did tech sites push the ibrute/Find my iPhone theory to the point of almost reporting it as fact? Tal Klein, vice president of strategy for Adallom and a cloud security expert, thinks it was a combination of coincidence and the desire to get on the story early.

"There was a lot of happenstance about what went down and how it all went down," Klein told Fusion. "That the photos were leaked over a holiday weekend and that the ibrute exploit had just been revealed made it very tempting for everyone to link the two together."

Klein also pointed out that just because the two events happened so close to each other doesn't mean the actual hacking took place this weekend. In fact, according to chat transcripts obtained by The Guardian, the group claiming responsibility said the leaked photos were "the result of several months of long and hard work."

But should one take Apple's statement at face value? John Sileo, a cybersecurity expert at, said yes.


"Apple is very dependent on customer loyalty and their brand tends to be a pretty shiny branch—more so than a lot of other companies," he said. "If it turned out they were lying, there would be serious backlash against them, especially since they're about to announce the new iPhone."

Sileo also noted that when it comes to security breaches, companies will often downplay their severity initially instead of outright denying them. He cited the January 2014 Target breach as an example. The company admitted the private information of as many as 110 million customers was jeopardized, a figure nearly three times larger than previously reported.


Fidel Martinez is an editor at He's also a Texas native and a lifelong El Tri fan.

Share This Story

Get our newsletter