Ten months ago, stolen nude photos of some of the most famous women on the planet were leaked on 4chan. The “Celebrity Photo Hack” claimed over 100 female stars as its victims. The theft and subsequent distribution of the images and video was an awful, pornographic collision of violations: of privacy, of security, of women.
A just-unsealed federal search warrant reveals that the FBI have zeroed in on two residences: an apartment on South Narragansett in Clearing and a brick house on South Washtenaw in Brighton Park, both of which were raided by FBI agents last October.
Special Agent Josh Sedowsky (FBI Cybercrimes Unit) wrote the report, which cites victim account records obtained from Apple as reason to believe that at least one computer used at the brick home accessed “or attempted to access without authorization multiple celebrities’ e-mail and iCloud accounts over the course of several months.” The report focuses on a man, Emilio Herrera, who resided at the Brighton Park house, though the owner of the house appears to be a relative named Jesus Herrera.
This report identifies victims by their initials; as many of the victims’ names were made public, either because they chose to address the assault publicly or by virtue of the crime committed against them, that information is not new to most. Yet there is more information about the suffering the victims experienced that law enforcement observed. Jennifer Lawrence, the most high-profile victim of the attack, described the leak as a “sex crime” when she was interviewed by Vanity Fair for a November cover story. “It’s my body, and it should be my choice, and the fact that it is not my choice is absolutely disgusting.”
In the records, a victim referred to as “J.L.” is described by Sedowsky as being “very distraught” to the point of needing to halt the interview. “J.L. stated she was having an anxiety attack and was visibly shaken.”
While the story was big news last fall, this is the first real glimpse at the scale of the attack. The numbers here demonstrate the astonishing reach of the hacker, or hackers, behind the illegal theft and distribution of the images. From The Chicago Sun-Times:
The unique computer IP address at the home on Washtenaw was used to access 572 unique iCloud accounts between May 31, 2013 and Aug. 31, 2014, according to one affidavit. In total, the agent said those accounts were accessed 3,263 times.
The IP address on Narragansett accessed 330 unique iCloud accounts between May and August 2014, according to the other. Of those, 291 allegedly belonged to people who registered their accounts outside Illinois. Those 291 accounts were accessed more than 600 times, the agent wrote.
The affidavit provides some insight into the strategy behind the hack, as one victim (“A.S.”) reported that she’d been locked out of her accounts a few months before the photographs were posted, between April and May of last year. “All photos were taken with her iPhone and sent through iMessage to her boyfriend,’ the report reads. Two videos on her phone were also posted online. “At the time of the leaks, the videos were still stored in her phone.”
Another victim, “A.H.,” also described finding out photos she’d never even sent — photos that lived only on her phone — were stolen. The hack was not just limited to photos these women decided to share with other individuals; photos and videos that were stored on their devices were also vulnerable to attack. This revelation in particular adds to the horror: just possessing a photo of yourself makes you a target for, to use a technical term, scumbags like this.
As Sam Biddle writes at Gawker, “It’s clear now that the celebrity iCloud heist was done through the oldest (and most reliable) method of online malice: phishing emails and a password reset. Anything pertaining to password cracking and phishing is called out in a ‘list of items to be seized’ on the FBI’s warrant.”
At least eight of the celebrity victims’ accounts were allegedly breached from a computer at this Chicago apartment. The Sun-Times also reports that feds left the house with multiple computers, cellphones, floppy disks (apparently still a technology people use), hard drives, thumb drives, and a Kindle.
Herrera has not been charged with a crime, according to the federal court records. In fact, no criminal charges have been filed yet. The investigation is ongoing.