Flaw in Apple's iCloud may have allowed celebrities' nude photos to be hacked, expert says

NEW YORK (CNNMoney) -- How did private, nude photos of Jennifer Lawrence and other celebrities get hacked and leaked on the Internet?

A combination of a common Internet scam, weak passwords and a since-fixed vulnerability in Apple's photo backup service could be to blame.

Hackers usually send fake emails, posing as their bank, Facebook or an email provider. Those so-called 'phishing' scams make people think they're coming from a trusted source, leading them to enter their user names and passwords onto a fake website owned by hackers.

It's also possible that the hacked celebrities had easy-to-guess passwords. Typically, online services only let users guess passwords a handful of times before blocking access. But until this week, Apple's iCloud backup service allowed people to guess passwords over and over -- it would never lock people out.

Related: FBI investigating hacking attack on JPMorgan

"We take user privacy very seriously and are actively investigating this report," said Natalie Kerris, an Apple spokeswoman.

Michael Gregg, a security expert who helps celebrities keep safe online, believes the iCloud flaw led to the release of the photos.

"You pull down a list of common passwords and run that through," said Gregg. "You keep running through and testing until you get a hit on one. That appears to be the most likely way this happened."

Celebrities are already prime targets of malicious behavior, so they need to be especially careful online with extra precautions to keep hackers at bay. Strong, hard-to-guess passwords are a must, as are password-protecting tools like two-factor authentication -- which requires you to have your smartphone on hand to log into a website.

Pass phrases are especially strong passwords, particularly ones that are easy to remember but are long and hard to guess ("1 Day I ate 364 bananas & 13 cherry Pies!!!").

Since so much information about celebrities is available online, a hacker posing as a famous person's trusted friend or loved one isn't particularly difficult. Nor is answering celebrities' security questions if the answers can be found on Wikipedia.

That's what happened to former Alaska Gov. Sarah Palin, when hackers accessed her personal email account. One of the security questions she had set to retrieve her password was her birthday.