Are you a HOT CELEB? Think your SEXY PICS are safe? Maybe NOT

Rather than a single iCloud hack, this week's furore over celebrity nude pics looks more like the work of one or many "secret circles" of hackers whose members mingle on anarchic messageboard 4Chan to share their digital loot from computers and phones they've cracked over a period of years.

The photos were, according to one rumour investigated by The Register, stolen from various cloud backup accounts linked to Apple iPhones, Google Android devices and Windows phones.

Hackers used brute-force password guessing against iCloud accounts which Apple overnight confirmed had occurred on a limited basis, among other techniques, to harvest the data.

The Register has inquired among Google and Microsoft folk regarding evidence of targeted attacks against celebs using their services.

The Register understands the photos would have remained off the public radar, if it weren't for a dump on 4Chan public forums by a new member who bought his way into a secret circle and tried to cash out by offering the photos for sale.

Before this week's exposure, the celeb pics - dubbed 'wins' by members - were quietly traded inside the group, according to this theory.

This version of events explains why some of the nude celeb images were dated as far back as 2011 and others were taken just last month.

Lending further credence to the theory was that a mix of file formats and data remnants from variety of software and cyber lockers like Dropbox were contained in the picture cache.

Unsubstantiated chat logs by anonymous 4Chan users which surfaced online also suggest the existence of a secret smut circle.

Determining whether the rumour was fact or fiction may require the final results of FBI investigations.

Penetration tester Nicholas Cubrilovic, who has investigated similar networks of pic-pinchers, has written that there is lots of illicit pic-swapping going on online.

"What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public," he writes.

"The goal is to steal private media from a target's phone by accessing cloud based backup services that are integrated into iPhone, Android and Windows Phone devices."

Cubrilovic has examined degenerate nude selfie and revenge porn networks and found communities where users would sell out their Facebook friends in a bid to obtain images on specific people that fellow members hold.

He details such operators' methods as follows:

"The frequent source of new leads for targets seems to be newcomers who know somebody they want to hack .... [they] will offer up a Facebook profile link, plus as much information as is required by the hacker to break [that] account, plus possible assistance in getting a RAT installed if required ... the hacker will supply the [newcomer] with a copy of the extracted data which they will also keep for themselves."

This was one of the most unsettling aspects of these networks to me – knowing there are people out there who are turning over data on friends in their social networks in exchange for getting a dump of their private data."

Work is sometimes delegated to members whose jobs could involve gaining open source intelligence on targets or hacking into their devices using social engineering trickery or password-guessing.

The organisation Cubrilovic checked out was visible across the public and private webs, with coordination through private instant messaging and email.

Cubrilovic advises users to use separate email addresses to separate their most sensitive data from the rest, adding there was "a reason why drug dealers carry multiple phones."

The Register concurs, and reminds everyone to maintain high entropy, non-cliche passwords and consider either encrypting saucy pics or storing them offline. ®