How those nude photos were leaked (and why you should care)

What does the hack mean for your own cloud security? Here are all of your nude selfie-related questions answered.

Sharon Profis Vice President of Content, CNET Studios
As the Vice President of CNET Studios, Sharon leads the video, social, editorial design, and branded content teams. Before this role, Sharon led content development and launched new verticals for CNET, including Wellness, Money, and How To. A tech expert herself, she's reviewed and covered countless products, hosted hundreds of videos, and appeared on shows like Good Morning America, CBS Mornings, and the Today Show. An industry expert, Sharon is a recurring Best of Beauty Awards judge for Allure. Sharon is an avid chef and hosts the cooking segment 'Farm to Fork' on PBS nationwide. She's developed and published hundreds of recipes.
  • Webby Award ("How To, Explainer, and DIY Video"); Folio Changemaker Award, 2020
Sharon Profis
4 min read

Celebrities have the same security tools we do, so technically, we're all equally vulnerable. Sharon Profis/CNET

A number of celebrities were targeted this week in an attack that exposed nude photos -- some said to be real, others fake -- stored in Apple iCloud accounts. Here's what we know and what it means about your own cloud security.

How were the celebrities' accounts hacked?

Celebrities whose iCloud photos were leaked fell victim as a result of targeted attacks, according to the latest reports and information released by Apple. This means the people who hacked into the accounts likely knew the email addresses associated with the celebrity accounts or they were able to answer security questions that granted them access to the accounts.

It's still unclear how the hackers might have known the answers to account security questions and obtained the usernames for the accounts.

What about that security hole?

It was thought hackers may have gained access to the iCloud accounts through a security hole in the online storage service's "Find My iPhone" feature which allowed them to conduct brute-force attacks. With a brute-force attack, hackers use a script to automatically try many different username and password combinations in rapid succession until the correct combination is guessed.

Apple patched this hole Tuesday morning and confirmed that this was not the method used by the hackers to log in to the celebrities' accounts.

I still don't understand. They're celebrities.

Contrary to popular belief, most celebrities use technology the same way as most other not-famous people. Apple, Google, and other major tech players don't necessarily give celebrities access to special security features. If there were security-bolstering features available, we'd hope these companies would distribute them to all users, not just the privileged.

Celebrities have the same security tools we do, so we're technically all equally vulnerable. But, since their faces grace the covers of magazines and theater screens, they end up being targeted more often.

Celebrities also don't always take advantage of security protocols that are available. For example, based on the information currently available, these celebrities might have been protected against the attacks if they were using two-step verification, which adds an extra step to the basic log-in procedure.

Why would they store photos in the cloud in the first place?

Cloud backup services like Apple's iCloud and Google's Instant Upload are often enabled by default, so it's possible the photos were being uploaded to iCloud without the celebrities being aware.

For example, iCloud's Photo Stream service automatically uploads photos you take on your Apple device and stores them in iCloud for 30 days. With Photo Stream uploading enabled, those photos can be accessed from any device, no matter where you are in the world, using your iCloud credentials.

Should I be worried?

Even though you're not Brad Pitt or Cameron Diaz, it's a good time to review your own iCloud security. Photos aren't the only items stored in iCloud -- your contacts, iOS device's location, and notes may also be stored there. Here are some steps you can take:

1. Enable two-step verification. Now.
The greatest defense against brute-force and targeted attacks is still two-step verification. It won't protect you against issues like security holes, but it's still your best shield against targeted hacking, where someone is able to obtain your username or answers to your personal security questions to access an account.

When enabled, two-factor authentication adds a second level of authentication to an account login. One common example, is a code sent to a mobile device that must be used in addition to a username and password to log in to an account. Follow these steps to set up two-step verification for your Apple ID.

Disappointingly, TechCrunch points out that Apple's two-step login is really only designed to protect users against unauthorized credit cards purchases, but it's still important to enable, especially if the company corrects this oversight.

2. Disable any services you don't actually use
If the data doesn't exist in the first place, there's no reason to hack it.

Do you even need Photo Stream or other iCloud services like contact-syncing? If not, disable these services. To do so, go to Settings > iCloud on your iOS device and disable the unnecessary services. Then, sign into iCloud.com and delete any previously-uploaded Photo Streams.

3. Consider using fake answers to security questions
Was your mom born in Chicago? That's great, but you should probably use a different answer. Most recent reports suggest hackers used social engineering to learn answers to the celebrities' security questions, which ultimately gave them access to the accounts. To prevent frenemies or hackers from getting into your account, consider using fake, random answers they'd never be able to discover.

4. Do the same thing for other Web services
While you're at it, consider repeating the same steps for other cloud services, including Dropbox, auto-backup on Android, or even Flickr. The more you minimize data automatically uploaded into the cloud, the greater control you'll have over your private information.

Editor's Note: Story was updated Wednesday at 3:39 PST to reflect most recent reports on two-step verification and how the hackers accessed the accounts.