Tinseltown has been hacked: nude or explicit photos of around 100 celebrities have been illegally accessed and posted on the 4Chan anonymous image-sharing platform.
The celebrities include Jennifer Lawrence, Kim Kardashian, Kirsten Dunst as well as Brits Kelly Brook, Michelle Keegan, and Cat Deeley.
How did it happen?
Jennifer Lawrence is - so far - leading the understandably outraged reaction, saying that she intends to take legal action for invasion of privacy. Whilst Ms Lawrence has confirmed that the photos are genuine, some celebs are dismissing them as fake and/or over two years old. There’s no saying, then, exactly when the first hack took place.
The perpetrator has not confirmed exactly how he or she accessed the photos, but possible hacking routes are phishing, irresponsible sharing of password details, or using the same password on multiple website accounts. Of course, a natural consequence of one celebrity email account being hacked is that it opens up the possibility of hacking further into their network - of friends, that is.
It is emerging, though, that the most likely route was by cracking weak personal passwords on Apple’s iCloud and accessing the celebs’ storage areas. Certainly no one has suggested that iCloud itself has a security flaw, but they have recently issued a patch for a piece of programming code which could help crack user accounts by using the 500 most common passwords approved by Apple’s rules. The script allowed anyone using it to repeatedly guess passwords on Apple’s ‘Find my iPhone’ service without locking them out or issuing an alert. Once in, the hacker would have access to the iCloud storage areas - and any photos there.
Although Apple has said they are aware of the photo hacking scandal, they have not issued any statement other than that they will comment in due course. If nothing else, they are likely to offer advice on how to avoid a personal iCloud security breach.
How to avoid the naked truth
Heading the list of weak links in the security chain is the users themselves: passwords are invariably inadequate when it comes to ensuring privacy from a determined hacker. Passwords can be made stronger by including numbers, upper and lower case letters, and special characters but, if you do nothing else, you should make your passwords longer – long passwords or phrases are hard to crack. ‘D0ntGetCaughtWithY@urPantsD()wn!’ would take over 200 million years to crack – yes, you read it right. No one would be interested in your photos by then. Surely?
Get to know how remote storage systems like iCloud work: many don’t realise that it syncs recorded media from all devices as soon as a WiFi link is established, or any time the device is recharged or rebooted. This means that deleting a photo on one device isn’t enough if you want no record of it; it has to be deleted from the cloud as well. (One very simple solution is to turn off iCloud backups under the iPhone’s Settings, but the downside is that you lose the option to recover records after a device failure.)
Use the security feature on iCloud that is not widely known about: two-factor authentication. In addition to the usual username and password, a one-time password is sent to the device itself and must be entered before access is granted. It’s not a default setting, though, and must be manually enabled.
So, if you don’t want to become a celebrity yourself – even if it’s only down at the local pub – use a strong password, invoke two-factor authentication and - safest of all - avoid the urge to take nude or risqué selfies. However, if the Devil does make you do it, stick to bathing suits not birthday suits…