It seems that every week a new headline emerges heralding the latest internet security breach. Over the last few days hackers revealed that they had stolen and posted on the internet board 4chan nude pictures of a host of celebrities, including nude images of more than a half-dozen A-list actresses and performers, including Oscar winner Jennifer Lawrence, Kim Kardashian , Rihanna, Kate Upton, and Mary Elizabeth Winstead. Lawrence and Winstead confirmed that the pictures were authentic, and have threatened legal action. Not all the posted photos were deemed authentic: Olympic gymnast McKayla Maroney said in Twitter messages that none of the pictures attributed to them were real, but her representatives are threatening legal action in letters to several websites, as reported by TMZ. Nickelodeon actress Victoria Justice who originally claimed the pictures were fake has now vowed to take legal action. Pop singer Ariana Grande’s publicist also said pictures of her client were fake.
Celebrities are not the only victims. Large corporations with multimillion dollar security budgets are not immune from breaches; Target, Home Depot, Ebay/Stubhub, The Department of Veteran Affairs, Sony’s PlayStation Network, AOL, Monster.com, and now perhaps Apple are just a few of some of the big corporations who have been hacked.
Lawrence and Winstead reported that the pictures were originally posted to Apple’s iCloud, and they had mistakenly believed that the pictures were long ago deleted.
Apple released a statement confirming that some celebrity accounts were broken into, but determined after an internal investigation that its security systems were not breached. It believes that the hackers committed their crimes the old fashioned way, by deducing through trial and error the victims’ log-in credentials. Here’s the statement:
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
Who is vulnerable?
According to The Washington Post, “to be blunt, just about everyone. Even when companies hire armies of programmers to keep that data secure, it’s still theoretically available to someone: the company itself, or the government, or a particularly crafty hacker.”
Dr Steven Murdoch, an information security researcher at University College London, agrees. He told BBC that “this isn’t the first time photos have been taken off cloud storage and it won’t be the last.” He commented that “authentication is not cheap to do right at large scale”, and banks seem to get it right, while companies like Apple, Dropbox and Google need to do more to protect their customers.
“Storing data on a phone carries an inherent risk,” Ed Felten, a computer-science professor at Princeton, told The New Yorker. “The complexity of the software on our phones, and the network and cloud infrastructure to which they connect, makes it difficult to identify, let alone secure, all of the points of vulnerability. It’s prudent to assume that anything on your phone is potentially at risk.”
Protect your information
So what is the simple lesson learned from this latest celebrity hacking incident? You have to be vigilant in protecting your information.
Even though the public has not received a definitive explanation as to how so many users were hacked, many experts, including Apple, have advised users to protect information by always using a strong password. And you should never use the same password for different accounts. “Even if your password was created to be ‘strong,’ it’s useless if you use it (and the same email or username) at multiple places,” reports Mashable. If one account is compromised, all will be. You should also enable two-step verification. As Google states, “to break into an account with 2-Step Verification, bad guys would not only have to know your username and password, they’d also have to get a hold of your phone.”
These steps alone will not ensure that your information will always be safe, and are not perfect, but they go a long way towards proving you with greater protections, until of course the next great group of hackers find a way to compromise them.