Today, a massive leak of private photos from numerous celebrities, including Jennifer Lawrence, were leaked onto the Internet. The images were leaked on 4Chan by several users.
Some media are reporting that the celebrities “phones were hacked,” however, it appears that the source of many of the leaks may have been the iCloud service the images were backed up to, although this has not been confirmed and it may only be one source.
Apple has not responded yet if this is part of a larger potential compromise of the iCloud infrastructure or simply the leakers gaining access to their accounts by guessing passwords or other methods. There have been numerous images released of the celebrities and claims by the leakers of more to come, as well as videos.
Given the number of celebrities compromised it could be a combination of multiple services and a number of people involved. This type of data, like credit card information, is commonly found in the deep web using hidden services to run underground forums to trade in revenge porn and celebrity images.
This is not the first time private celebrity images have been compromised. In 2011 Scarlett Johansson, Christina Aguilera and others had images leaked by Christopher Chaney, who compromised multiple celebrity email accounts simply by guessing their passwords. Chaney was caught and sentenced to 10 years in prison.
It is important for celebrities and the general public to remember that images and data no longer just reside on the device that captured it. Once images and other data are uploaded to the cloud, it becomes much more difficult to control who has access to it, even if we think it is private. Although many cloud providers may encrypt the data communications between the device and the cloud, it does not mean that the image and data is encrypted when the data is at rest. If you can view the image in the cloud service, so can a hacker.
Two Factor Authentication Helps
In addition to being careful of what you upload, most cloud-based and social media services provide two-factor authentication, including Google, Microsoft and Apple’s iCloud. However, it is usually not enabled by default. In Apple’s iCloud, it can be found under “Password and Security” in your profile, where you can enable “two-step verification.” Although many feel the additional security is a hassle, it helps mitigate many of the risks where an attacker guesses or is able to get your login credentials through a phishing attack or other malicious methods.