2014 celebrity nude photo leak

On August 31, 2014, a collection of nearly five hundred private pictures of various celebrities, mostly women, with many containing nudity, were posted on the imageboard 4chan, and swiftly disseminated by other users on websites and social networks such as Imgur and Reddit. The leak was dubbed "The Fappening" or "Celebgate" by the public. The images were initially believed to have been obtained via a breach of Apple's cloud services suite iCloud, or a security issue in the iCloud API which allowed them to make unlimited attempts at guessing victims' passwords. Apple claimed in a press release that access was gained via spear phishing attacks.

The incident was met with varied reactions from the media and fellow celebrities. Critics argued the leak was a major invasion of privacy for the photos' subjects, while some of the alleged subjects denied the images' authenticity. The leak also prompted increased concern from analysts surrounding the privacy and security of cloud computing services such as iCloud—with a particular emphasis on their use to store sensitive, private information.

Origin of the term
"The Fappening" is a jocular portmanteau coined by combining the words "fap", an internet slang term for masturbation, and the title of the 2008 film The Happening. Though the term is a vulgarism originating either with the imageboards where the pictures were initially posted or Reddit, mainstream media outlets soon adopted the term themselves, such as the BBC. The term has received criticism from journalists like Radhika Sanghani of The Daily Telegraph and Toyin Owoseje of the International Business Times, who said that the term not only trivialized the leak, but also, according to Sanghani, "[made] light of a very severe situation." Both articles used the term extensively to describe the event, including in their headlines.

"Celebgate" is a reference to the Watergate scandal.

Procurement and distribution
The images were obtained via the online storage offered by Apple's iCloud platform for automatically backing up photos from iOS devices, such as iPhones. Apple later reported that the victims' iCloud account information was obtained using "a very targeted attack on user names, passwords and security questions", such as phishing and brute-force attack guessing. It was believed that the images were obtained using an exploit in the Find My iPhone service. Court documents from 2014 indicated that one user created a fake email account called "appleprivacysecurity" to ask celebrities for security information. The photos were being passed around privately for at least a couple of weeks before their public release on August 31. Some anonymous imageboard users at the time claimed that unreleased photos and videos exist.

The hacker responsible for the leak, who described themselves as being a "collector", distributed the leaked images on the image boards 4chan and Anon-IB in exchange for Bitcoin. Ultimately, the images were widely circulated online via other channels, including Imgur and Tumblr. Celebrity gossip blogger Perez Hilton also re-posted some of the photos on his blog, but soon took them down and issued an apology, saying he had "acted in bad taste".

A major center of activity was the link-sharing website Reddit, where a subreddit, /r/TheFappening, was created for sharing the photos; in a single day, it amassed over 100,000 followers. Reddit administrators were criticized for allowing this to take place in an alleged violation of their anti-doxing rules. As McKayla Maroney claimed to be under 18 at the time the photos of her were taken, Reddit staff took photos of her down and warned that anyone re-posting them, or underage photos of Liz Lee which had been circulating prior to this incident, would be permanently banned from the site and could be prosecuted for distributing child pornography. On September 7, citing copyright issues, Reddit banned /r/TheFappening, also saying the workload of dealing with them had become too much. Reddit banned another subreddit named "Fappening" on the same day.

Content and affected celebrities
The original release contained photos and videos of more than 100 individuals that were allegedly obtained from file storage on hacked iCloud accounts, including some the leakers claimed were A-list celebrities. Shortly after the photos were leaked, several affected celebrities issued statements either confirming or denying the photos' authenticity. Celebrities who confirmed the photos' authenticity include Jennifer Lawrence (confirmed by her publicist), Kate Upton and her husband Justin Verlander (confirmed by Upton's lawyer),  Mary Elizabeth Winstead (confirmed via Twitter),  Kaley Cuoco (confirmed via Instagram),  and Kirsten Dunst, who also criticized the iCloud service. Singer Jill Scott confirmed on Twitter that one of the leaked photos was of her while stating that another was fake.

Celebrities who denied the photos' authenticity include Ariana Grande and Yvonne Strahovski. Olympic gymnast McKayla Maroney denied the images' authenticity on Twitter, but later confirmed the photos were legitimate while also saying she was underage when they were taken. Victoria Justice denied the photos were authentic but later stated on Twitter that she was pursuing legal action and found the leak to be a massive invasion of not just her privacy, but of the privacy of all celebrities affected by the incident. Reports in October indicated that Nick Hogan was the first male star to be directly targeted by hackers, though he denied the pictures' authenticity.

According to security expert Nik Cubrilovic, in addition to the photographs, other personal information such as text messages, calendars, address books, phone call logs and any other data stored on their phones and backed up to the service were also likely stolen.

On September 20, 2014, a second batch of similar private photos of additional celebrities was leaked by hackers. On September 26, 2014, a third batch was also leaked, which was dubbed "The Fappening 3".

Reactions
Actress Lena Dunham pleaded on Twitter for people not to view the photos, arguing that in doing so "you are violating these women over and over again. It's not okay." Actress Emma Watson condemned not only the leak but "the accompanying comments [on social media] that show such a lack of empathy." Actors Seth Rogen and Lucas Neff also spoke out against the hackers and people who posted the pictures. Justin Verlander, then a pitcher for the Detroit Tigers, told the media prior to a game against the Cleveland Indians that he keeps his private life private and would rather focus on the Tigers' race with the Kansas City Royals for the AL Central title than be a distraction to his teammates. Security analysts have stated that the breach could have been prevented through the use of two-factor authentication, while a Forbes writer recommended completely shutting down the iCloud "Photo Stream" feature (which automatically uploads photos taken with an iOS device to iCloud servers).

In an interview with The Wall Street Journal, Apple CEO Tim Cook stated that in response to the leak, the company planned to take additional steps to protect the privacy and security of iCloud users in the future. Notifications will be provided whenever data is restored to a device via iCloud and after logging into iCloud via a web browser, in addition to existing notifications when a user's iCloud password is changed. Additionally, Apple will broaden and encourage the use of two-factor authentication in future versions of its software and operating systems, such as the then-upcoming iOS 8. In conclusion, he emphasized that "we want to do everything we can do to protect our customers, because we are as outraged if not more so than they are".

Jennifer Lawrence contacted authorities and her publicist stated that the authorities would prosecute anyone who posted leaked images of her. Forbes columnist Joseph Steinberg questioned whether the reactions by law enforcement and technology providers indicated that celebrities were being treated differently from ordinary Americans, which, in the case of law enforcement, may be illegal.

On October 1, 2014, Google was threatened with a $100 million lawsuit by lawyer Martin Singer on behalf of unnamed victims of the leak, alleging that Google had refused to respond to requests for the images to be removed from its platforms (including Blogger and YouTube), "[failing] to act expeditiously, and responsibly to remove the images", and "knowingly accommodating, facilitating, and perpetuating the unlawful conduct".

In an interview with Vanity Fair, victim Jennifer Lawrence called the leak a "sex crime" and a "sexual violation"; she added, "Anybody who looked at those pictures, you're perpetuating a sexual offense. You should cower with shame." This view was contrasted by another victim of the leak, Emily Ratajkowski, who told GQ, "A lot of people who were victims of [the hack] said anyone who looks at these pictures should feel guilty, but I just don't think that's fair", and "I'm not sure that anyone who Googles it is necessarily a criminal. I think the people who stole the photos are".

Investigation
The Federal Bureau of Investigation said it was "aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter". Similarly, Apple stated that it had been investigating whether a security breach of the iCloud service was responsible for the leaked photographs, as per the company's commitment to user privacy. On September 2, 2014, Apple reported that the leaked images were the result of compromised accounts, using "a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet".

In October 2014, the FBI searched a house in Chicago, Illinois and seized several computers, cellphones and storage drives after tracking the source of a hacking attack to an IP address linked to an individual named Emilio Herrera. A related search warrant application mentioned eight unidentified high profile victims. According to law enforcement officials, Herrera was just one of several people under investigation and the FBI carried out various searches across the country.

Guilty pleas
In March 2016, 36-year-old Ryan Collins of Lancaster, Pennsylvania, agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information resulting in an 18-month sentence. While no victims were named in the court documents, numerous media outlets connected Collins' case to the breach. During the investigation, it was found that Collins phished by sending e-mails to the victims that looked like they had been sent by Apple or Google, warning the victims that their accounts might be compromised and asking for their account details. The victims would enter their passwords, and Collins gained access to their accounts, downloading e-mails and iCloud backups. In October 2016, Collins was sentenced to 18 months in prison.

In August 2016, 28-year-old Edward Majerczyk of Chicago, agreed to plead guilty to a similar phishing scheme, although authorities believe he worked independently and he was not accused of selling the images or posting them online. On January 24, 2017, Majerczyk was sentenced to nine months in prison and was ordered to pay $5,700 in restitution to cover the counseling services of one unnamed celebrity victim.

Emilio Herrera, also from Chicago, had first been named in the press in 2014; he pleaded guilty to one count of unauthorized access to a protected computer to obtain information in October 2017. Herrera had accessed the accounts of unnamed celebrities and others but was not accused of being involved in leaking or sharing the photos and videos he obtained. He was sentenced to 16 months in jail in March 2018.

In April 2018, 26-year-old George Garofano of North Branford, Connecticut, pleaded guilty to one count of unauthorized access to a protected computer to obtain information. Garofano's attorney said he had been led into the phishing scheme by criminals. On August 29, 2018, a federal court sentenced Garofano to eight months in prison.

On October 22, 2018, Christopher Brannan, a former Virginia teacher, became the fifth man to be convicted in relation to the hacking. Brannan pled guilty to federal charges of aggravated identity theft and unauthorized access to a protected computer. Through a phishing expedition, he hacked more than 200 people. In addition to his celebrity victims, Brannan targeted his underage sister-in-law, as well as teachers and students at the school where he used to teach. Brannan was sentenced to 34 months in prison on March 1, 2019.