Google accounts have been hacked in the same social engineering way as well before, by Phishing, or finding the passwords. As have other services where people who've used weak passwords. That's what apparently happened here. . . and at this point the guy who posted them on boards.4chan.org originally is now claiming he doesn't really know where they actually came from. He claimed iCloud because he thought it sounded plausible.
Reddit users on Monday claimed to have learned the identity of the leaker and circulated these images of Bryan Hamade, a 27-year-old from Georgia. Hamade vehemently denied being the leaker in an interview with BuzzFeed.
“I am not behind this. It was so stupid — I saw a lot of people posting the actual leaks and bitcoin addresses and I’ve read a lot about bitcoin and how they’re are valuable and I thought, oh cool I’ll get free bitcoins,” Hamade told BuzzFeed. “I am just an idiot who tried to pull one over on 4chan and lost big time and stupidly left this identifying information. They took my proof and back traced it — it isn’t remotely true. I am not a hacker. I have no idea how the hell someone could hack into all those accounts,” he said.—Source Buzzfeed
Examination of the metadata of the celebrity photos reveals that there're photos from Apple devices, Android devices, Windows PC webcams, Tumblr, and apparently other sources, unlikely to be uploaded by Apple devices. Some of the selfies show Android phones taking the pictures.
The creator of the script claimed to have been used was interviewed and claims it works on many services:
"We discussed the tool with its creator, Hackapp, over Twitter, who said “This bug is common for all services which have many authentication interfaces” and that with “basic knowledge of sniffing and reversing techniques” it is “trivial” to uncover them. When asked if the method could have been used in the celebrity hack today, Hackapp said “I’ve not seen any evidence yet, but I admit that someone could use this tool.”
So, at this point it is not an absolute fact they came from Apple iCloud, although it is possible. I'm waiting for more facts.
The three weeks before any major announcement from Apple is historically FUD Season. . . and this period is proving to be no different than any FUD Season in the past. Just look at this thread: why is it news that Apple may contract for some server space for overflow with Amazon or Microsoft when Apple is already building the largest distributed server farm network anyone has seen? I find it quite amusing.