Nude photos of Hollywood stars, including Oscar-winning actress Jennifer Lawrence, are being shared widely on the net following what some are calling an “iCloud hack”.
More than 100 celebrities, including “Hunger Games” star Lawrence, Kate Upton, Kim Kardashian, Cara Delevingne, Vanessa Hudgens, Kirsten Dunst and Ariana Grande are alleged to have also had their private snapshots and, in some cases, videos published for anyone to see on the internet.
Jennifer Lawrence’s management team issued a statement, saying that they would pursue whoever was responsible for the leak, and warning others not to distribute them:
“This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence.”
That seems like a reasonable response to me - too many celebrity websites seem to think it’s okay to publish private photos of female stars that have clearly been accessed illegally. Remember the media activity when naked pictures of film actress Scarlett Johansson were stolen by a hacker a few years ago?
Surely some of these actresses and pop stars have enough pressure on them to maintain a certain body image, with the requirements to exercise constantly and barely eat, without the additional stress and embarrassment of knowing that amateur intimate and private photos are being leched over by strangers.
But what’s most interesting to us is - what are the security lessons here?
Here’s a quick Q&A:
What has happened?
Hundreds of photos, and some videos, have leaked onto the net of a wide range of actresses/models/whatever. Links to the images have been widely shared on sites like 4Chan and Reddit.
When did this happen?
Well, links to the images started appearing yesterday online… but it’s unknown when the security breach occurred.
A tweet from one of those affected, actress Mary Winstead, implies that the photos that have been leaked of her were taken years ago and then deleted.
To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.
Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.
Remember, even if a photo has been deleted from your physical phone - it might still exist somewhere in a backup.
It’s possible that whoever collected the naked images has been doing so for some time, and amassing a collection for his or her own entertainment for quite some time. If naked images of celebrities are your bag, it’s possible you would curate quite a large “butterfly collection”.
Are all the photos genuine?
Some of the photos are faked. Others do appear to be genuine. The quote from Jennifer Lawrence’s representatives, for instance, confirms that the images of the actress have been stolen.
Was an Apple iCloud hack responsible?
We don’t know. There have been claims that iCloud may be involved, but it’s tricky to confirm even if all of the celebrities affected use Apple devices.
Many folks are blissfully unaware about iPhone photos being automatically sent to an Apple iCloud internet server after it is taken. That’s great in some ways - it means it’s easily accessible on our other Apple devices - but might be bad in others.
Even if they were all using iCloud, it’s possible that there isn’t a security hole in iCloud itself but rather that celebrities had not properly secured their accounts with - for instance - hard-to-guess passwords.
So, if they had a hard-to-guess password, they would have been safe?
Not necessarily. After all, they could always have been phished or have shared that password with one of their assistants or have used the same password somewhere else on the net.
All this, of course, depends on knowing your target’s email address in the first place. The email addresses of celebrities aren’t, understandably, easy to determine - but if one celeb manages to get hacked their address book might be a goldmine for hackers who wish to widen their attack.
Also, in the last few days proof-of-concept code has been shared online which claims to brute force iCloud accounts - although it’s hard to believe that this could have been successfully used against a wide number of accounts without detection in a short space of time.
Apple has now reportedly prevented the code from working, although it’s important to stress it has not been confirmed that this was involved in the celebrity hack.
How else might they gain access?
Many sites give you a “Forgot your password” option, or ask you to jump through hoops by answering “secret questions” to prove your identity.
However, in a celebrity’s case, it may be particularly easy to determine the name of their first pet, their birth date, or their mother’s maiden name with a simple Google search.
This is why you should never answer those “secret questions” honestly, but instead make up an answer. That explains why my first pet was called “4CxZnn9P”.
A further possibility is that celebrities might have (knowingly or unknowingly) given access to their accounts to other users. In the case of celebrity hacker Christopher Chaney - who pleaded guilty to hacking into the Apple, Gmail and Yahoo accounts of starlets like Scarlett Johansson and Mila Kunis in 2011 - he automatically forwarded any email the hacked celebrities received to an account under his own control.
What about two-factor authentication?
If available, always enable two-factor authentication (2FA) on online services. 2FA makes life much harder for hackers attempting to hijack control of accounts and devices, as it means they require more than just your username and password. They also need a one-time password (OTP) that is sent to your device itself.
Unfortunately, Apple although has had 2FA since early last year, it has been slow to bring it to iCloud accounts. It would be great to see Apple make such protection mandatory, rather than an opt-in choice for the few who even know about it.
You can learn how to enable Apple’s 2FA protection here.
In my mind, the lack of two-factor authentication is likely to have played a critical part in this security breach.
No doubt there will be more to learn about this case in the coming weeks. Watch this space… and don’t forget the most important question of all:
I’m a celebrity. How do I stop hackers from stealing my naked photos?
Simple. Stop taking naked photos of yourself.
In fact, that’s good advice for the non-celebrities too.
The only photos that can ever be stolen from you are the ones that you take. Take no nude photos and you’re safe.
If you really *must* take a nude photo (and ask yourself - WHY must you do that?), maybe it’s unwise to have it anywhere other than on your phone.
And at least keep your face (and any distinguishing tattoos) out of shot.