A comprehensive, jargon-free guide to the celebrity nude-photo scandal and the shadowy Web sites behind it


Jennifer Lawrence poses on the red carpet at the world premier of “The Hunger Games: Catching Fire.” She was one of several victims of a celebrity hacking. (AFP /Andrew Cowie)

It’s a late entry, and a sad one, but the trove of stolen celebrity nudes that hit Reddit like a bomb over the weekend may just qualify as the Internet story of the summer. After all, it’s the perfect Internet scandal: sex, Bitcoin, shadowy hackers and long-reigning Internet darling Jennifer Lawrence.

And yet, the ongoing incident — which the FBI has said it’s investigating — is far more than a tawdry tabloid story. It also raises a lot of profoundly important issues about technology, security, privacy and power in the digital age. There are practical implications, as well: The leak is inspiring many inhabitants of the “cloud” — a club that, in all likelihood, you belong to — to take a second look at their security settings. Let’s parse the key questions.

What happened, in a nutshell?

Here’s the TL;DR version: On Sunday, a large cache of nude celebrity photos were uploaded to the anarchic message-board site 4Chan. It’s not entirely clear who uploaded the photos, or how many people were involved, but the images seem to have come from a loosely affiliated network of undeniably creepy dudes.

From 4Chan, the photos spread to Reddit. From Reddit, they moved to the rest of the Internet. Celebrities including Jennifer Lawrence and Kate Upton have since confirmed that some of the photos are genuine. Which has left law enforcement, security experts and site moderators pondering what, exactly, they should do.

Which celebrities got hacked?

The cache purportedly includes photos of several dozen female celebrities, including Lawrence, Upton, Kirsten Dunst, Avril Lavigne,  Lea Michele, McKayla Maroney and Ariana Grande. There are also some lesser marquee names in the mix, such as Jessica Brown-Findlay (“Downton Abbey’s” Lady Sybil) and Hope Solo (the U.S. women’s soccer star).

Lawrence, Dunst and Upton have confirmed that their photos were stolen. Some of the other women, including Maroney, have denied the photos are real.

Whether real or fake, there could be a lot more photos where they came from. Gawker reports that, on the message board where the Lawrence leak originated, users have promised an imminent trove of yet-unreleased images, including hacked photos of Kate Bosworth, Hayden Panettiere and Leelee Sobieski.

Who did it?

We don’t know for sure, at this point. But on 4Chan, where this whole mess started, users refer repeatedly to a long-running network of celebrity-hackers, collectors and sellers. One post refers to it as an “underground celeb n00d-trading ring.” (“N00d” being the favored message-board slang for “nude.”)

The ring wasn’t organized — little of 4Chan is. But essentially, it appears the site hosted a kind of shady, loosely organized black market for celebrity photos. Some people would try to sell them; some would try to swap or buy; many amassed large collections that they bragged about, unabashedly, when news of this particular cache broke. (Think of it like baseball cards, but for a nastier and less scrupulous crowd.)

Alas, we don’t know the actual identities of the people in this little club. But at least one man who advertised the photos for sale — 27-year-old Bryan Hamade — has insisted he is not a hacker and didn’t steal any photos himself.

How did they get the images?

This is the million-dollar question, and no one has a conclusive answer to it yet. However, a handful of hackers on 4Chan bragged about exploiting a previously unknown flaw in Apple’s iCloud, the feature that syncs photos, contacts and music among a user’s Apple devices. [UPDATE: Apple has since released a statement on its own investigation into the breach, which found that an iCloud vulnerability was not to blame. However, Apple did find evidence that many Apple accounts were compromised, probably "by a very targeted attack on user names, passwords and security questions."]

In short, most secure services will only let you enter a wrong password a certain number of times before they kick you off. Apple’s “Find My iPhone” feature, however — a spin-off of iCloud — allegedly let users enter wrong passwords infinitely. That leaves the program open to something called a “brute-force” attack: a program that keeps guessing password combinations until it finds the right one.

Of course, there are other possibilities, as well, particularly given that the photos seem to have come from several different hackers. They could have tricked the celebs into giving up their passwords by posing as, say, someone from Apple support who needed credentials for site maintenance. (This little trick is called phishing.) They also could have gained access to the celebrities’ e-mail accounts by resetting their passwords; often, passwords can be reset with the answers to a few simple and easily researched questions, such as the account-holder’s mother’s name or the street where she grew up.

Who else is vulnerable?

To be blunt, just about everyone. Even if you don’t take nude photos (which as many as half of Americans say they do), and even if you don’t use iCloud, you probably store profound amounts of personal data on your phone, in your e-mail, and on your social accounts.

This data appears to be private, particularly when it’s just, say, sitting on your iPhone’s camera roll. But this data doesn’t just live on your phone. It also lives in “the cloud,” a fluffy euphemism for distant corporate servers. Even when companies hire armies of programmers to keep that data secure, it’s still theoretically available to someone: the company itself, or the government, or a particularly crafty hacker.

As Ed Felten, a computer science professor at Princeton, told the New Yorker’s Jay Caspian Kang, “storing data on a phone carries an inherent risk.”

How can you protect yourself?

When it comes to this specific iCloud issue, Apple recommends two main things. No. 1: Use a strong, unique password that you do not also use on another account. (“Strong,” in this case, means including upper and lowercase letters, numbers and punctuation, avoiding idioms and personal information, and making the password long — at least 14 characters.)

Recommendation No. 2: Turn on two-factor authentication, a setting that forces users logging on to iCloud from new devices to enter not only a password to access the account, but also a temporary code sent to your phone. It basically means that no one will be able to access your iCloud without your phone. You can turn on two-factor through the Settings menu on your iPhone or iPad; you can also, incidentally, turn off photo stream from this menu — that’s the feature that automatically syncs your recent photos to “the cloud.”

These two rules apply to securing your other accounts, as well. Don’t repeat passwords across multiple sites — if one falls, they all will. Turn on two-factor for Gmail, Twitter, Facebook and other services that allow it. (The tech writer Mat Honan, who was brutally hacked in 2012, once called two-factor the only thing  that could have stopped it.) And as a final precaution, think very carefully about the things you put online, even in assuredly private spaces like Dropbox or iCloud. There’s no avoiding personal material on the Web — that’s the world we live in. But when it comes to things like “photos I took with my husband in the privacy of our home,” to quote hacked actress Mary Elizabeth Winstead, you might want to keep it analog.

What does Bitcoin have to do with any of this?

Not too much. Hackers and middlemen offered to sell the photos for Bitcoin, a kind of digital cryptocurrency favored by drug-dealers, libertarians and privacy-minded techies. The salient takeaway from that: Bitcoin’s anonymous. It can’t be tracked.

What about 4Chan?

4Chan is a really interesting animal — and a difficult one to understand from the outside. Essentially, the site is a long-running forum that operates without the rules, standards or moderators common on other social sites. Users can essentially post or say anything: a premise that, unsurprisingly, has fomented some pretty gross things.

4Chan is, for instance, the birthplace of  “pranks” like the thigh gap and #cuttingforbieber, which public health experts have accused of threatening vulnerable teens. It’s been the site of several bomb and shooting threats. Several of its users have been busted for trading child porn. None of that has diminished the so-called Wild West of the Web, however. It draws a monthly audience of roughly 20 million and has logged a whopping 1.6 billion posts since 2003.

Will there be legal repercussions?

Possibly. In a statement to the Hollywood Reporter, the FBI said it was “aware of the allegations concerning computer intrusions … and is addressing the matter.”

If the FBI can find the unsavory individuals behind the leak, they’ll likely face a fate similar to “Hollywood hacker” Christopher Chaney, who compromised the e-mail accounts of Scarlett Johansson, Mila Kunis and more than 50 other celebrities in 2011. He was charged with computer hacking for gain, illegal wiretapping and aggravated identity theft and sentenced to 10 years in prison. Lawrence’s and Upton’s lawyers have indicated that they’ll pursue charges against anyone who reposts the photos.

Er, so, where can I view the photos?

In fewer places than you could 24 hours ago, thankfully. A number of sites, including Twitter, are taking the photos off their servers, presumably out of fear of legal action. Reddit, however — where the scandal picked up mainstream speed — is facing harsh criticism over its failure to delete off-site links to the images, even when forum moderators admitted they “seem[ed] pretty scummy.” Reddit’s attitude seems to be that, merely because the photos exist, anyone should be able to view them — an ethical code that does not, needless to say, jibe with many commentators’.

What does all this say about gender/the Internet/human nature/etc.?

There are two very fascinating thematic threads here, which we tend to discuss frequently in our musings on Internet culture. For starters, there’s this predictable invocation of “free speech” — the idea that any content, even reprehensible or private content, should be available and uncensored online. (This political position, many critics point out, falls apart under closer scrutiny: The same people rejoicing over J-Law nudes are the same ones decrying government spying.)

The second thread is related, and even more damning. It’s no coincidence that the nude photos overwhelmingly depict women, not men. And it’s also no coincidence that this (entirely nonconsensual) leak is so much buzzier than, say, the latest celebrity spread in Playboy. In short, when a woman chooses to take nude pictures, she owns her sexuality — but when those photos are taken, or taken from her, by force, then the viewer owns it. It’s humiliating. It’s victimizing. And it’s also very permanent — a photo, once leaked, cannot easily be taken back.

All this sends a clear message to women, writes the noted feminist scholar Roxane Gay: No matter who you are or what you accomplish, “your bared body can always be used as a weapon against you. Your bared body can always be used to shame and humiliate you.”

Whatever the trolls of 4Chan say, nothing is ever just “for the lulz.”

Caitlin Dewey runs The Intersect blog, writing about digital and Internet culture. Before joining the Post, she was an associate online editor at Kiplinger’s Personal Finance.
SECTION: {section=lifestyle, subsection=null}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=2, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: !!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=2, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Comments
SECTION: {section=lifestyle, subsection=null}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=2, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: !!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=2, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Show Comments
Most Read Lifestyle
Next Story
Rebecca Robbins · August 30