Over Labor Day weekend, alleged nude photographs of a number of female celebrities including Jennifer Lawrence, Kate Upton, Kirsten Dunst, and Arianna Grande were posted online. Spokespeople for some of the victims, including Lawrence, have confirmed the authenticity of the photos and blasted the leak as a violation of their privacy. Others have called the photos fake.
Dunst tweeted out some emoji calling iCloud, the Apple service that was supposed to protect her photos, a piece of, well, excrement:
Thank you iCloud— Kirsten Dunst (@kirstendunst) September 1, 2014
How did the leaks happen? Has this kind of thing happened before? And what can people do to protect themselves? Read on for details.
Who posted the photos?
The photos first appeared on 4chan, which is the Mos Eisley Cantina of the internet. Founded a decade ago as a forum for swapping anime pictures, it has become a popular place for posting controversial images of all kinds — including a lot of pornography.
4chan has had a large influence on the culture of the internet. It is generally credited as the birthplace of the LOLcat phenomenon and as well as rickrolling. The online quasi-movement Anonymous also emerged from 4chan message boards.
Anyone can post images on 4chan, and the site allows people to post anonymously. So we don't know who posted the photos, and finding the culprit could prove challenging. One man who posted a message claiming responsibility and seeking bitcoin donations is now vehemently denying he was the source.
Are the photos authentic?
At least some of them are. Spokespeople for actress Jennifer Lawrence and model Kate Upton have tacitly acknowledged that images of their clients are authentic. They blasted the release as a violation of their privacy. Other celebrities, including actress Victoria Justice and musician Ariana Grande have said that the photos are fake.
How did the perpetrator get ahold of the photos?
At this point, we can only speculate, but there's some circumstantial evidence that security vulnerabilities in Apple's iCloud service may have been to blame.
Some security experts have pointed to a security hole in Apple's iCloud as one way hackers could have accessed the private images. Information about the vulnerability was posted online on August 30, a day before the photos first appeared online. Ordinarily, if someone tries to guess a user's password over and over again, an online service will notice and limit the number of guesses someone can make. But Apple's "Find My iPhone" service allowed a user to guess an unlimited number of times, which an attacker may have exploited to guess the victims' passwords.
Also, earlier this year one of the hacking victims, Jennifer Lawrence, told a reporter, "my iCloud keeps telling me to back it up, and I'm like, I don't know how to back you up. Do it yourself." So we know that she's an iCloud user and may not be terribly familiar with the finer points of configuring her iCloud account. Dunst has also hinted that iCloud was to blame.
Why would victims have uploaded sensitive photos to the internet?
They might not have known they were doing so. Apple has a feature called "My Photo Stream." According to Apple's FAQ, "when you take a photo on one device, it automatically appears on all of your other devices. " Victims might have enabled this feature not realizing the implications.
And to be fair, iCloud isn't the only software that works this way. Google has similar functionality for Android. It's extremely convenient to have all of your files available to you no matter what device you're using. But it also means that all of your files are on an Apple or Google server where they are more vulnerable to hacking.
Has this kind of thing happened before?
Yes. In 2012, hacker Christopher Chaney was sentenced to 10 years in prison for hacking into the email accounts of celebrities including Scarlett Johansson, Christina Aguilera, and Mila Kunis. Chaney found a couple of intimate photos of Johansson and posted them online.
Chaney used a relatively low-tech method to access the photos: he figured out the victims' email addresses and then activated the services' account recovery mechanism, which asked for information such as the names of users' pets, their place of birth, and so forth — information that could often be gleaned from publicly available information.
No nude photos were involved, but Republican Vice Presidential candidate Sarah Palin also suffered a targeted attack on her email in 2008. The culprit, David Kernell, used the same technique as Chaney, answering the "security questions" in Yahoo's account recovery tool using publicly available information. Kernell was convicted and sentenced to one year in prison.
Non-celebrity women have also been targeted by creeps who hack victims' email accounts looking for nude photographs.
It's a safe bet that if the authorities nab whoever was behind the attack on Lawrence and others, he (and history suggests it probably was a he) will face criminal prosecution.
Whose fault is it that these celebrities got hacked?
The hackers — not the victims, technology companies, or anyone else — are morally responsible for invading their victims' privacy.
It's 2014. Why are online services still vulnerable to this kind of attack?
Creating an online service that's simultaneously secure and user-friendly is an inherently difficult problem because the two objectives often come into conflict. Making an online service more secure generally involves more frequent and time-consuming authentication. However, users tend not to have much patience for this kind of thing, so products that are too picky about passwords tend to lose out in the marketplace against more convenient but less secure alternatives.
A good example of this is a technology called two-factor authentication, which increases account security by requiring users to enter a secret number that's auto-generated and sent to their cell phone each time they log in. Two-factor authentication dramatically increases account security, but users hate it. Entering the extra passcode is a hassle, and you can get locked out of your account if you happen to forget your phone. Almost every major technology company offers 2-factor authentication, but only a tiny fraction of users have signed up.
The account-recovery process represents a particular area of vulnerability for online services. Users sometimes forget their passwords, and services need some way to deal with that. But any system that lets the legitimate user access an account without a password by definition also provides an extra way for hackers to break in. Traditionally, many online services used "security questions" that ask users for information only they know ("What street did you grow up on," "What was the name of your third-grade teacher"), but this information isn't always that difficult to figure out.
Other approaches don't seem to work any better. For example, human help line workers can be fooled, as a Wired writer discovered in 2012 after a hacker tricked Apple tech support into issuing him a temporary password for the victim's account. And if tech companies implement password-recovery schemes that are too strict, they risk angering users who get locked out of their accounts permanently.
None of this is to deny that technology companies should do a better job of safeguarding our privacy. Sometimes obvious security vulnerabilities get discovered in online services, and companies have an obligation to quickly find and fix those. But users' own choices make clear that security isn't necessarily their highest priority. They want as much security as they can get without too much hassle.
What can I do to prevent hackers from stealing my personal information?
There are several steps people — celebrity and otherwise — can take to lock down their online accounts.
- Enable two-factor authentication. As already mentioned, 2-factor authentication requires you to have your cell phone in addition to your password in order to access your online accounts. It's a bit of a hassle but it's one of the best ways to boost your online security.
- Don't answer "security questions" honestly. Security questions are often the weakest point in an online service's security, since someone could to figure out the name of your pet and the street where you grew up. Instead, treat the answers to these questions as a second password. Make up long, random answers, write them down on a piece of paper, and store that in a safe place.
- Avoid re-using sensitive passwords. It's unrealistic to expect people to have a separate password for every online account. But you should at least avoid the same password for your most sensitive accounts (online banking and email for example) and less sensitive ones such as online gaming or discussion boards. A good strategy for keeping track of multiple passwords is to write them down and keep the paper in your wallet or purse. Password-management software is another good option.
- Enable the screen-locking feature on your phone. The tips so far have focused on thwarting online attackers, but you might also need to worry about someone snooping through your information after stealing your smartphone. All major mobile operating systems now offer a screen-locking feature that requires users to enter a short passphrase to unlock the phone. This feature may not keep determined hackers out, but it will certainly thwart casual thieves and may give you time to change your passwords before someone gains access to your online accounts.
Do these techniques guarantee that naked photos I share with a partner won't be published online?
Nope. If you send photos over the internet, there's an inherent risk that they'll be shared with people you didn't intend to see them. This could happen because hackers compromise your account or your partner's account. It could happen because the relationship goes sour and the recipient decides to release them out of spite. It could happen because a nosy friend or family member snoops through your email account and discovers them.
Of course, life would be pretty boring if we never took risks. Sharing naked photos can be fun, and many people are going to choose to do it regardless of the risk. But hopefully, over time users will become more used to the (occasionally annoying) security features that help them harden their online lives against the intrusions of hackers.