In case there weren’t enough examples of the perils of storing private information on the web, an anonymous hacker (or hackers) has provided users of connected devices with yet another cautionary tale illustrating what and what not to share online.
On August 31, the personal photos and videos of over a dozen actresses, models, and musicians were leaked on the anonymous online image board 4chan.org. The leak quickly spread onto the popular news and media sites reddit.com and imgur before finally making its way to more mainstream outlets like Facebook and Twitter. More torrent than leak, the posts feature hundreds of selfies of 20 female celebrities that, based on the subject matter, were not intended for mass public consumption.
The images were posted anonymously by several users on multiple 4chan image threads. One poster claims to have exploited a vulnerability in Apple’s iCloud image service to gain access to the victims’ accounts. Apple has yet to confirm or deny the validity of this claim, instead choosing to quietly patch a known security flaw in their Find my iPhone service that allowed hackers to “brute force attack” the service in search of Apple ID and password combinations. Brute force attacking involves the hacker using a trial-and-error approach to gain access to accounts. In most cases this strategy is impractical because of the astronomical number of attempts necessary to find a valid match. But for systems that allow a hacker unlimited attempts, a fast computer and a large list of common passwords can make relatively short work of it. The vulnerability in question was possibly used earlier this year by a hacker calling himself Oleg Plisse to remotely lock a large but undetermined number of Australian iPhones before sending messages offering to unlock them for a ransom.
While the sheer scope of this leak may seem to corroborate a massive hack of some sort, the ever-vigilant sleuths of the internet are busy concocting several alternate theories of varying plausibility. One front-runner involves a hacker attending the recent Emmy awards ceremony and compromising the venue’s WiFi in order to gain access to celebrities’ smart phones. Another possibility circulating is that the photos are from a massive cache of celebrity images that have been circulating on the Dark Web for some time now. For the uninitiated, the Dark Web (or Deep Web) is the massive portion of the internet that is ostensibly unreachable by conventional means (links and search engines). Because of its relative obscurity, the Dark Web is often used to engage in all manner of seedy and sometimes illegal activities while normal users remain completely oblivious.
The Dark Web theory has gained traction based on some of the inconsistencies with the iCloud hacking claims and also some of the events leading up to the leak. iCloud exclusively backs up images to the service, but some of the leaked content included videos. Furthermore, some of the images appeared to be from other services like Snapchat, while others still were later proven to be fakes. But the linchpin of this theory comes in the form of yet another poster to an anonymous image board claiming to have access to the Dark Web celebrity cache days before the actual leak was released, even successfully predicting some of the victims involved. This and the apparent heterogeneous nature of the leaked content add some credence to the Dark Web theory.
Whether Dark Web, award show hacker, or otherwise, the lesson here is obvious: it pays to keep certain information quarantined from the internet. Financial records, classified documents, and personal photos are safest when stored on unconnected devices or good old fashioned paper. Because of the default opt-in nature of many of the cloud and sharing services, it no longer takes a jaded “ex” to make your information reach a larger-than-intended audience. Knowing this, it’s a probably a good idea to take an extra second or two before you click “send.”