As you have undoubtedly heard, over 100 female celebrities have had their nude and other compromising photos leaked and published. The big headline that has been circulating is that these images were acquired via hacked iCloud accounts of the affected celebrities. Apple's iCloud is an online service that automatically stores emails, contacts, photos, and other information to enable the data to be synced and shared to multiple devices. After initially uploading some of the images on 4Chan, the anonymous hacker demanded payments via Bitcoin and PayPal in exchange for posting the images.
The term you will find across all the news involved in this incident is that the iCloud accounts were “hacked”. Unfortunately, this term is never really defined, leaving the idea of “illegally gaining access to a computer” open to broad interpretation. Upon examination of the metadata found the images, it seems that the high majority of them were taken with Apple devices. This adds to the mass panic wave that iCloud has been hacked, which Apple has not confirmed at all. However, the possibility that someone actually did “hack” iCloud is highly unlikely.
In order to gain access to someone else’s Photostream, you would have to use their iCloud user name on either a new OSX or iOS machine. Once you do that, iCloud will send an e-mail to the registered address informing that a new machine has logged in to the account. In addition, a notification is sent to all the other machines registered on that iCloud account. Because the iCloud safety mechanism quickly informs someone when a new machine gains access, a person would normally realize right away that they have been hacked, and then proceed to immediately change their password. This would precent a hacker from being able to download much, if any of the stored date. This safety mechanism is one of the reasons why many experts don’t believe that someone actually hacked iCloud.
What is actually much more likely is that this attacker targeted specific victims (in this case, female celebrities) using a combination of cracking the password, social engineering, as well as Apple’s “Forgot my password” option. In addition, less technical methods could have been employed (as a side-note, it is usually the nontechnical methods that turn out the be the means used for “hacking”).
So what are the most likely non-technical methods employed in this leak?
First, the hacker would have had to guess the email addresses and passwords. A Time article in June referenced that actress Jennifer Lawrence had a new email with a keyword in it. This is a huge mistake: never let a clue about your email be released to the public domain. If an email address is known or guessed, anyone can target the owner of the address, while purporting to be something else, such as Apple’s iTunes for example. If they succeed in their ruse, the targeted person will enter their password and email into the false page. And voila: the hack is complete.
In addition, if someone uses the same password for multiple accounts (such as Netflix, eBay, or Amazon), then if a hacker gains access to one of your accounts, they could potentially use the same password to access your email and even your iCloud. Besides that, if a hacker knows their target’s birthday and the answers to some security questions, it is possible they can access to a victim’s account through Apple’s “Forgot my password” route. This is particularly true for celebrities, who have a ton of information about themselves published. Once a hacker is inside an iCloud account, they wouldn’t be able to see photos are videos that have been automatically uploaded, but they can once they download them.
In theory, there was the suggestion from The Next Web that a ‘brute force attack’ via an automated program could have hacked iCloud (Note: brute force attacks use malicious script to repeatedly guess passwords in order to pinpoint the correct one). While there appeared to be a vulnerability in the Find my iPhone service that could make it possible, Apple has allegedly already fixed the flaw, and there has been no official confirmation that this was the culprit.
When investigating this latest attack, there are other possibilities that need exploring:
Could the initial “hack” have been to another service? This is possible since many of the images don’t appear to have been taken with Apple products. Some of the photos have writing on them: possibly the images came from Snapchat? Or someone’s screen shots? Were they hacked via WiFi at a celebrity event? Could it have been an insider, someone who works directly with some of the celebrities? Was someone’s actual device stolen, and then their connections’ information compromised?
News outlets are going to be kept busy as answers to these questions develop, but there is one question that everyone wants to know now: should we be worried? Are our online accounts that susceptible? The answer: no. iCloud is almost certainly safe. Because of the mentioned reasons above, whoever acquired the compromising images appears to have used a target attack on these celebrities. But there are precautions you can take:
1. Use the two-step (or ‘two-factor’) verification for your online accounts. These settings would mean that in order for someone to hack into your account, they would need access to your physical phone AND your phone’s password to get in (you do have a password for your phone, right?!). These services send a text message to your phone with a temporary PIN in order to access your account. Makes your accounts a lot harder to break into.
2. Don’t use easy passwords and security questions. Your birthdate, your pet’s name, the make of your car, etc. are not good security answers: those answers can be found by someone else with a bit of digging. And in case this has not been told to you before, “qwerty”, “123456,” and “password” are NOT password smart choices.
3. If you want to be super circumspect, then completely turn off the automatic photo syncing. For iCloud, all you have to do is go to Settings > iCloud. It is that easy. If you do that, then the photos will only be on the phone or camera you take them with, and whatever computer you might back them up on. Just don’t lose your phone or your computer.
No matter what, you should always be careful about what you put online. The invasion into these people’s private photos is an egregious crime, but it is also is a reminder that nothing online can be certified private. For your personal information, use security. Hopefully, the hacker will be identified in this case, and we can find out just exactly how they were able to acquire so many photos from different people.
Until then, no need to panic about your online accounts being hacked. Just use prudence in what you post, and all the security features available, and your stored data should be more than just fine.
Sources: