Hope you all had an enjoyable Labour Day long weekend, because Jennifer Lawrence, Kate Upton and more than a dozen other Hollywood actresses most likely did not. This past Sunday saw a massive leak of nude photos from these celebrities’ own mobile devices.
Apple’s iCloud backup service is widely being blamed as the target successfully hacked to gain access to this material—but really, this could have gone down in a number of different ways. And I think these scenarios are worth sharing so that you don’t ever suffer a data breach of your own.
Let’s get Apple out of the way first. It has yet to be proven that this is, in fact, the vulnerability that led to the leak, but there was apparently a flaw in the implementation of Apple’s “Find My iPhone” service—which has since been patched. As The Next Web explains, prior the patch there was apparently no limit on the number of attempts someone could make to recover an Apple ID password. Thus, if you had the email address associated with someone’s Apple ID you could use a simple script to execute a brute-force attack, repeatedly guessing a password many times a second until you eventually came across the right one.
Lesson: If ever there was a case to be made for two-factor authentication, this would be it.
Business Insider has an interesting theory; the point-of-entry for this stolen data might have been something as innocuous as the WiFi at the Emmy Awards. Anyone with the right tools and access to that network could potentially sniff packets and capture email addresses, passwords and more. Depending on how the network is set up this could be a trivial thing to accomplish; I’ve seen it done with my own two eyes.
Lesson: Free WiFi networks may end up costing you in other ways.
3. Not One, But Many Exploits
I found this screen grab on Imgur with a possible explanation (and some NSFW language) of how the leak might have come about. Without going into too much detail it describes a secret circle of 4chan users who trade stolen celebrity photos, photos which could have been obtained any number of ways. So what seems like a massive data breach that happened all at once might actually be a dump of illicit material collected over time. This theory seems to jibe with what some of the affected celebrities have said, that the leaked media was wiped from their devices a long time ago.
Lesson: This is, I think, more about being generally vigilant when it comes to the security of your personal data. There are lots of ways to do it, and lots of ways to slip up.
I suppose too there’s the consideration of what you choose to upload to the Internet and/or send through it. I honestly don’t think I have the authority to comment on this—at the risk of showing my age, I’m from a generation where we didn’t send naked photos of ourselves to people we liked. Sucks to be me, I guess…