When it comes to the Internet, there are two certainties: celebrities will continue to take nude photos of themselves and certain hackers will try their damnedest to uncover the goodies.
Over the Labor Day weekend, photos showing "The Hunger Games" star Jennifer Lawrence in various states of nudity wound up on the 4chan file-sharing bulletin board along with photos purporting to be snapshots of other celebrities in various states of undress. Sports Illustrated model Kate Upton was also a victim and a rep confirmed that the photos of her were real. Actress Mary Elizabeth Winstead, whose pictures also got stolen, tweeted out that she was "taking a break" after one of her posts ignited a troll-fest.
While it's still unclear whether the photos are all authentic the FBI has opened an investigation into the breach.
Conducting post-mortems based on skimpy details is always a fraught exercise -- even more so when the story changes by the day. The early hysterics suggested the possibility of a massive iCloud break-in. But Apple put paid to that scenario Tuesday when it said that the celebrity accounts "were compromised by a very targeted attack on usernames, passwords and security questions" and was unrelated to a breach in any its systems. (Meanwhile, there's also the possibility that these photos have circulated for some time. According to Monday post in Gawker, discussion of the images on the anonymous image-sharing board AnonIB began weeks ago.)
"The whole use of spear phishing as an attack vector to compromise disparate services -- this isn't new; we know about this and they're still being able to do it all the same," said McAfee Chief Technology Officer Raj Samani.
Yes, it's an old story. Something similar happened a few years ago when someone reposted photos stored on phones used by Scarlett Johansson and Blake Lively. But as long as this remains classic tabloid fodder, the incentives are likely to invite more attempts.
"If you're a celebrity, you're going to be targeted more than anyone else because people are going to think that you're lucrative somehow in terms of fame or whatnot," said Zulfikar Ramzan, chief technology officer of Elastica, a security company. "And when you are targeted, you are always at greater risk regardless of your profile."
You do have options
Many celebrities are active on Twitter or Facebook or other social media where they interact with fans and followers and their higher profiles inevitably require them to take extra precautions so their accounts don't get hacked. But people -- celebrities or regular folk -- are creatures of habit and it's unclear how many actually take that extra step. Apple's response to the hack would suggest that more work remains on spreading the message.
Ramzan said both Facebook and Twitter spent a lot of effort specifically providing protection for celebrity accounts, checking for odd patterns activities that might suggest the possibility of a compromise.
"I heard recently that at Twitter, they thought someone might have hacked Justin Bieber's account because all of a sudden there were some weird messages being posted on it," Ramzan said. "It turned out that Bieber was backstage with Ashton Kutcher and handed Ashton his phone and Ashton started to make some posts on behalf of Beiber but they didn't look like they were coming from Bieber."
We've contacted Twitter and Facebook for comment and will update this post when we have more information.
As always, security experts urge users to embrace what's known as two-factor authentication, which adds another layer of protection. In its latest statement on the celeb photo attack, Apple advised iPhone owners to always use a strong password and enable two-step verification.
It was just the latest reminder of a message that still isn't getting through to most people, who just enter their username and a single password -- a process known as single-factor authentication. Check out this CNET FAQ to learn more about two-factor authentication, a process in which someone would only be able to access an account after they supply two of these three types of credentials:
- Something you know, such as a Personal Identification Number (PIN), password, or a pattern
- Something you have, such as an ATM card
- Something you are, such as a biometric like a fingerprint or voice print