Jennifer Lawrence, who confirmed via her publicist that the photos were genuine, has previously said: "My iCloud keeps telling me to back it up, and I'm like, I don't know how to back you up. Do it yourself,” while metadata retrieved from the images shows that the vast majority were taken using Apple devices.
However, this doesn't confirm that iCloud itself was hacked - it might simply be down to individual users’ poor password choices - and other theories as to how the pictures were obtained are also circulating online.
Security experts have suggested that a second cloud service, Dropbox, might be involved and that the massive scope of the leak (posters on 4chan claimed that close to 100 celebrities are affected) implies that “an employee with access to data somewhere made a private stash” and was subsequently hacked by another opportunistic individual.
The anonymous user who first posted the images online claimed to have additional leaks including explicit videos of Lawrence and requested donations via PayPal and Bitcoin in exchange for posting them.
Since the images were first posted online, tech site The Next Web has discovered the code for an iCloud-focused hacking program posted to the open-source website GitHub.
The program apparently exploits a flaw (now fixed) in Apple's 'Find my iPhone' service to guess passwords over and over again without being locked out. This method of hacking known as a 'brute force' attack uses a database of commonly uses words and phrases to guess passwords.
The program's creator told The Next Web that although they had not seen any evidence that the software had been used in the celebrity hacks, they admitted "that someone could use this tool".