Skip to main content

Here’s What We Know So Far About The Celebrity Photo Hack



As you will by now have probably read, around 100 women celebrities (including Jennifer Lawrence, Ariana Grande, Victoria Justice and Kate Upton) have had naked and explicit pictures seemingly hacked from their iCloud accounts and published online, first on 4Chan and now all over the place. As a reminder, iCloud automatically stores photos, email, contacts and other information online, allowing users to sync this data across different devices. Many of the photos have been confirmed as being genuine, most notably by Lawrence.

The anonymous hacker who originally posted the images first on 4Chan claimed they were taken from iCloud accounts. They demanded donations via PayPal and Bitcoin in exchange for posting them, but only received 0.2545 BTC in donations, which is verifiable at this address: 18pgUn3BBBdnQjKG8ZGedFvcoVcsv1knWa

While it’s highly unlikely to be a security issue with iCloud, the incident has served to remind us all of the issues around internet security in general.

So what do we know about the celebrity photo hacks?

THE MEDIA
The mainstream media is reporting the phones were “hacked”. As usually, this is rarely defined.

Lawrence has previously said she uses iCloud, once saying: “My iCloud keeps telling me to back it up, and I’m like, I don’t know how to back you up. Do it yourself.” Metadata in the images shows that the vast majority were taken using Apple devices.

THE ‘HACK’
There is a suggestion that iCloud has been “hacked”. There has been absolutely no confirmation of this from Apple.

It’s highly unlikely that the “hacker” (or it may have been a group of hackers) was not able to breach Apple’s security in general, but instead targeted specific victims using a combination of social engineering, cracking the password or using Apple’s “Forgot my password” route. They could also have used other less technical methods (it’s usually the non-tech method that turn out to be the culprit, btw).

GUESSING EMAIL ADDRESSES AND PASSWORDS
Jennifer Lawrence was once quoted in a Time article about her email address containing a key word. Not a wise move. Never give clues in the public domain. Once an email address is known, a hacker could email the target person purporting to be something else (Apple’s iTunes for instance). The target puts their email and password into the hacker’s fake page. Voila.

This phishing attack is emerging as a likely culprit.

Also, having the same password for multiple products (such as eBay and Amazon) means a hacker, if they can get one account right, could use the same password to access your email or iCloud.

Also, Apple’s “Forgot my password” system means that if you know the victim’s birthday and the answers to some security questions, you might gain access to their account. There is a LOT of information out there on celebrities, so coming up with ideas for passwords is entirely possible.

Once inside it’s not possible to see photos or videos which are automatically uploaded from your iPhone to iCloud but you can use software to download it all. Again, voila.

iCLOUD’S SAFETY MECHANISM

To gain access to Photostream, you would need to login with the iCloud user name on a new OSX or iOS machine. If you do that, iCloud sends you an e-mail that a new machine has logged in. You also get a notification on all the other machines using your iCloud account (iPhone, iPad, Mac) telling you a new machine is logged in. So, basically, when you get both mails and notifications, the normal reaction would be to realise you were being hacked and to change your password immediately. Since the notification is almost instant, changing the password very quickly would mean Photostream wouldn’t be able to sync to the Hacker’s machine fast enough for it to download 30 days of photos.

This is one of the main reasons why most experts don’t suspect this incident to be a hack of iCloud.

A PROPER HACK
Another method might be a ‘brute force attack’ on an iCloud account via an automated program. This is hard on iCloud, though theoretically possible.

The Next Web suggests that a Python script on Github (and shared on Hacker News) recently allowed malicious users to ‘brute force’ a target account’s password on Apple’s iCloud, thanks to a vulnerability in the Find my iPhone service. Apple appears to have already patched the hole, however.

There’s no official confirmation this is the culprit though.

WAS IT VIA ANOTHER SERVICE?
Since many of the images appear to have been taken with Android devices and webcams, the leaked images may not have originated from the iCloud photo backup service at all. Many services have automatic backup tools, and could be accessed in similar ways to iCloud (as above).

SNAPCHAT?
Some of the photos had text overlaid. Were they from Snapchat? Probably not. These are most likely screen shots on someone’s phone.

VIA Wi-Fi?
Were phones hacked via WiFi, perhaps at a celebrity event? This is also not known or confirmed.

AN INSIDER?
Personal assistants and bodyguards often have access to celebrity phones. It’s a possibility. Was this hack an employee with access to data somewhere? Again, there’s on confirmation of this (and no suggestion it happened).

A STOLEN DEVICE?
There is aways the physical theft of a phone or laptop of a celebrity or belonging to someone well-connected to celebrities.

SHOULD YOU BE WORRIED?
No. iCloud is almost certainly safe. This looks like targeted attacks on well-known and ‘high value’ celebrities using some of the above methods.

HOW TO BETTER PROTECT YOURSELF
The best way is to turn on two-step (or ‘two factor’) verification for your iCloud account (or any online account), meaning a hacker would also need physical access to your phone AND your phone’s password to get in, via a text message sent to your phone with a temporary PIN. All the other services, like Google, also have two-step authentication. Check out TwoFactorAuth.org

Make your security questions more complex (e.g. not your date of birth, your pet’s name etc). ‘qwerty’ or ‘123456’ are the dumbest passwords ever.

Still really, really, really worried? Then completely turn off iCloud photo syncing through Settings > iCloud. Or any similar automatic backup service. Then the photos will only ever be on your phone or the computer you back them up to. Then you have to worry about the phone or laptop being stolen and losing your photos…

BE CAREFUL OUT THERE

This is not the first time private celebrity images have been compromised. In 2011 many celebrities had images compromised by hacker Christopher Chaney who got into email accounts simply by guessing passwords. Chaney was caught and sentenced to 10 years in prison.

But guys like that are rarely caught. So use better security for your personal stuff.

And remember: Taking naked photos of yourself is not a crime and you have nothing to apologise for. It’s the hacker in all these kinds of cases that is the criminal.

Comments

Popular posts from this blog

How To Hide Text In Microsoft Word 2007, Reveal It & Protect It

Sometimes what we hide is more important than what we reveal. Especially, documents with sensitive information, some things are supposed to be ‘for some eyes only’. Such scenarios are quite common, even for the more un-secretive among us. You want to show someone a letter composed in MS Word, but want to keep some of the content private; or it’s an official letter with some part of it having critical data. As important as these two are, the most common use could involve a normal printing job. Many a time we have to print different versions of a document, one copy for one set of eyes and others for other sets. Rather than creating multiple copies and therefore multiple printing jobs, what if we could just do it from the same document?  That too, without the hassle of repeated cut and paste. We can, with a simple feature in MS Word – it’s just called Hidden and let me show you how to use it to hide text in Microsoft Word 2007. It’s a simple single click process. Open the docum...

Build Your Own Awesome Personal 3D Avatar with Avatara

Do you use social networks and want to build your own awesome 3D avatar? Maybe you want to send someone a cute cuddly image of yourself (kind of)? Or maybe you have your own ideas of what you would do with an Avatar… Well look no further than Avatara which I discovered from the MakeUseOf directory . You can create 3d avatars out of pre-set up templates or create your own from scratch. To start, visit Avatara’s homepage . You will see this screen: Click Get Started to umm, get started! That will take you to this screen: You see that you can build your own Avatar using an uploaded head shot like the Obama one above (just an example, guys). Or roll with one of their awesome avatars. I chose to start with a blank avatar by clicking Start with a blank avatar at the bottom of the screen. That takes you to here: I clicked on the filter at the top and told it to filter out everything but male characters and then I saw this: I rolled with Buck and continued. You need to click Select...

Ex-Skypers Launch Virtual Whiteboard Deekit

Although seriously long in the tooth and being disrupted by a plethora of startups, for many years Skype has existed as an almost ubiquitous app in any remote team’s toolkit. So it seems apt that a new startup founded by a team of ex-Skype employees is set to tackle another aspect of online collaboration. Deekit, which exits private beta today, is a virtual and collaborative whiteboard to help remote teams work smarter. The Tallinn, Estonia-based startup is headed up by founder and CEO, Kaili Kleemeier, who was previously a Head of Operations at Skype. She and three colleagues quit the Internet calling giant in 2012 and spent a year researching ideas in the remote team space. They ended up focusing on creating a new virtual whiteboard, born out of Kleemeier’s experience collaborating with technical teams remotely, specifically helping Skype deal with incident management. “Working with remote teams has been a challenge in many ways – cultural differences, language differences, a...