It seems everywhere you turn these days, another website or service has been hacked exposing details about their customers. These details are usually in the form of usernames and passwords, but over the weekend a handful of Jennifer Lawrence nude photos surfaced on the internet courtesy of malicious hackers. Other celebrities who’s nude photos surfaced included, Kate Upton, Rhianna, Ariana Grande, and many more.
UPDATED (09/02/2014 12:45 pm PDT): Apple has issued a press release with an update to their investigation into the breach. In it they mention that iCloud as a whole was not breached and that the attacks were targeted toward specific individuals.
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
While users of iCloud can breath a collective sigh of relief, Apple recommends – as we do below – to enable two-step verification and use strong passwords on all your accounts. Check our original story below to find out some of the ways accounts are compromised and some steps you can use to better protect yourself from hack attempts on your online accounts.
As further details emerge, media outlets are reporting that the source of the leaked images could be Apple’s own iCloud service. iCloud is a popular service for users of Apple devices which allows them to store their contacts, calendars, photos, and other information in the cloud in order to access them from all their devices. At this point in time, both Apple and the FBI are investigating the source of the leak and an emailed statement by Apple spokeswoman Nat Kerris stated:
“We take user privacy very seriously and are actively investigating this report.”
Whether or not iCloud was the source of where these images were gleaned from remains to be seen. Other cloud services such as Google Drive, Microsoft OneDrive, or Dropbox can easily be the source as well. Regardless of where the private images were obtained from, the heart of the matter here is security on the cloud.
How Accounts Are “Hacked”
One of the most common ways a hacker can gain access to an account is through a method known as phishing.
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
You may have seen some of these attempts before, they most commonly appear as an email to your account asking you to confirm your username and password by clicking on a link contained within the email. These emails look official and look convincing enough to have come from Paypal, eBay, or any other service you may be using. Clicking on the link contained however will not take you to that site but to another website that’s set up to look like the login page for that service. Once there, anything you enter is gathered and stored in the hacker’s database for later use.
If you ever receive an email or request to verify your information, the best way to do so is to always open up a new browser window or tab and go directly to the services website by typing their URL in manually in your browser. Once you are there and start the login process, you should see https:// or a tiny lock near the address bar (depending on what browser you use). By doing so, you are bypassing the phishing attempt and as a result, the attempt to get your login details will have failed.
But Isn’t It Deleted Once I Delete It?
Actress Mary Elizabeth Winstead brings up an interesting question in her tweet addressing the leaked images of herself.
Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.— Mary E. Winstead (@M_E_Winstead) August 31, 2014
When you delete a photo or other data from a website or service, it may take months before it is truly deleted from their services. There are a number of reasons for this, including the number of machines the image may be backed up on to as well as the archival/backup policy of each service. This policy varies widely from one website to another, and unfortunately, users can’t assume that deleting an image (or other data) from the cloud means it is instantly – if ever – deleted from all copies of it that exist online or offline.
Facebook is a prime example of this. You can delete your Facebook account, but you may not realize that Facebook never really deletes your account – it just deactivates it and if you return at a later date and log back in, all your data is preserved as if you never left in the first place.
How To Protect Yourself Further
One of the easiest ways to make it harder for your online accounts to get hacked is to enable two-factor (or multi-factor) authentication.
Multi-factor authentication (MFA) is an approach to authentication which requires the presentation of two or more of the three independent authentication factors: a knowledge factor (“something only the user knows”), a possession factor (“something only the user has”), and an inherence factor (“something only the user is”). After presentation, each factor must be validated by the other party for authentication to occur.
More simply put, this method of logging in often requires entering a username and password on the website or service, and then verifying your login via a code generated by a stand alone mobile app or sent to your mobile device via text message.
Most of the popular services have two-factor authentication, and more are coming on board as these privacy breaches continue. You can learn more about two-factor authentication for some of the more popular services at these links below:
Another simple thing you can do to help protect yourself is to use a different password for each service you use. Depending on the number of services you use, this can become cumbersome to remember them all, but there are password storage services and apps that can assist you in tracking your passwords. And please, don’t use common passwords such as those generated from easy to find information like family member or pet names!
Are you using two-factor authentication and unique passwords? Let us know if there are any other steps you take to secure your data saved to the cloud in the comments below, or on Google+, Facebook, or Twitter.Source: Reuters