Who Was Hacked?
Perhaps nobody. "We don't know if they were truly taken from iCloud or, for example, just Photoshopped by someone looking for publicity," said Carl Howe, vice president of data sciences for the Yankee Group, an information technology research company.
If you believe the still-unknown hacker or hackers, more than 100 celebrities had personal photos harvested, some of them explicit — with more photos to come. Jennifer Lawrence's publicity team called the alleged pictures of the Oscar winner "a flagrant violation of privacy" and promised prosecution, while Mary Elizabeth Winstead said on Twitter that photos of her were ones the singer and actress thought she'd deleted herself.
Read MoreApple says it is 'actively investigating' celeb photo hack
The FBI said Monday it's "aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter." Meanwhile, Apple Inc. — whose cloud storage service many of the photos appeared to have come from — said it's "actively investigating" the claims.
How Was It Done?
That hasn't been nailed down, but there are three main theories. One is what's known as a social engineering attack — the hacker or hackers simply "guessed a celeb's password or got it from a friend," Howe said.
The second theory involves what's called a brute-force attack. Announcement of the leak came very quickly after a team of developers revealed on tech forums that they'd found a bug in Apple's Find My iPhone service allowing anybody who learns your username to simply keep entering hundreds or thousands of passwords until he hits Bingo.
But "I think it's safe to say that this was not done with a brute force hacking tool," Moorhead said as further details of the photos emerged Monday, including data that indicated they were squirreled away not just on iCloud, but also on other popular online storage services.
The theory of Moorhead and several other experts consulted by NBC News is that the alleged hack probably started somewhere else, likely on an e-commerce site — somewhere "where somebody used the same login for another service where other photos were kept," Moorhead said. Once the hacker had an email address and either a username or a password, he or she could have gone to any one of a number of sites and used the "forgot my login" feature to get access to that site — and very likely several other sites, because the painful truth is that most people use the same login information for most of their online activities, security experts said.
How Safe Are You?
Millions of people and companies upload their most sensitive data to services like iCloud and Dropbox in "the cloud" — enormous online servers that you access as though they were your own hard drive. That way, "you can always have a backup if your computer is lost or stolen," said Mark Rasch of Rasch Technology and Cyberlaw, who's a former director of the Justice Department's Computer Crime Unit.