Duane D. Stanford Bloomberg News
Apple, which is poised to unveil new iPhones next week, and the FBI are probing reports hackers used the company’s iCloud service to illegally access nude photos of actress Jennifer Lawrence and other celebrities.
Hackers posted the nude photos on the anonymous image-sharing website 4chan, the Telegraph in London reported. The photos targeting more than 100 U.S. and British celebrities were allegedly obtained by breaking into iCloud accounts, the newspaper said. A representative for Oscar winner Lawrence, in an email, called the situation a “flagrant violation of privacy” and confirmed that the photos were hers.
“We take user privacy very seriously and are actively investigating this report,” Nat Kerris, a spokeswoman for Cupertino, California-based Apple, said without providing additional details.
The iCloud service, a key part of Apple’s strategy to unite its iPhones, tablets and desktop computers, lets users store contacts, emails, photos and other personal information on external systems they can access virtually. Apple has fixed a bug in its “Find My iPhone” software that may have allowed hackers to access celebrity iCloud accounts through so-called brute-force attacks that try multiple passwords, the Engadget technology website reported, citing developers.
The Federal Bureau of Investigation released a statement Monday saying it is aware of the allegations “concerning computer intrusions and the unlawful release of material involving high profile individuals.” The agency is “addressing the matter,” Laura Eimiller, an FBI spokeswoman in Los Angeles, said by email.
The FBI doesn’t typically confirm investigations as a matter of practice, Eimiller said by telephone Monday. “Clearly there’s a high public interest, so we felt it appropriate to provide a limited statement,” she said.
The celebrity hack comes days before Apple’s scheduled Sept. 9 product announcement near its headquarters. Apple will introduce bigger-display iPhones and a wearable device at the event, people with knowledge of the plans have said. Anticipation for the event has boosted Apple’s shares about 29 percent this year to a record level.
The risk to iCloud users will depend on whether the breach happened within Apple’s security or within the celebrities’ personal accounts, said Clifford Neuman, director of the University of Southern California’s Center for Computer Systems Security. Either way, some users may not understand when and how they are using such services, especially during the set-up.
“The data are leaving the devices that are in your possession and are now being stored on a server elsewhere,” Neuman said Monday in a telephone interview. “For most things, that’s probably a good thing but for things that are sensitive, that’s a problem.”
Backups of iPhone data stored on personal computers and laptops aren’t automatically encrypted, said Paco Hope, a principal software security consultant in London for Dulles, Virginia-based Cigital. Users must add the option manually. Backups sent to Apple are encrypted, he said.
“A garden variety hack into a celebrity’s PC might find photos in unencrypted backups, or even just as files on the PC,” Hope said. If a hacker “had access to an influential person’s address book, a movie or production company’s contacts, or some talent agency’s data, from there they could have phished a few movie stars, gotten more addresses and so on.”
The celebrities hacked included reality TV star Kim Kardashian and singer Rihanna, the Telegraph reported. Actresses Selena Gomez and Kirsten Dunst also were among the cache, Time reported on its website. The hackers promised to post more photos, Time reported.
“To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves,” actress Mary Elizabeth Winstead posted on Twitter. “Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this.”
One plausible explanation for a wide breach of private photos is by way of a password-retrieval system, said Woodrow Hartzog, who teaches privacy at the Cumberland School of Law at Samford University in Birmingham, Alabama. Customers generally recover forgotten passwords by providing information or answering questions about themselves. Celebrities are particularly vulnerable to hacks of these programs because so much of their life history, such as where they were born, is available in biographies, news stories and websites like Wikipedia.
“Data security is more important than ever before,” Hartzog said in a telephone interview. “We store our most personal intimate moments online, and it’s absolutely critical that that information stay as protected as reasonably possible.”
Once private information like nude photographs are made public, laws in the U.S. are inadequate to do much about it, Hartzog said. Remedies, including getting the data purged, are scant.
“These pictures are likely to still persist,” he said. “It becomes a very difficult thing for anyone, whether a celebrity or any other victim of non-consensual pornography, to be adequately helped under the law.”
Some of the hacked celebrities, including former Nickelodeon star Victoria Justice, said the photographs purported to be of them weren’t real. “These so called nudes of me are FAKE people,” Justice posted on Twitter.
In light of celebrity hacks, how to protect data
By Mae Anderson
NEW YORK— The circulation of nude photographs stolen from celebrities’ online accounts has thrown a spotlight on the security of cloud computing, a system used by a growing number of Americans to store personal information over the Internet.
On Tuesday, Apple acknowledged the security breakdown and blamed it on intruders who were able to figure out usernames and passwords and bypass other safeguards. The company said it found no evidence of a widespread problem in iCloud or its Find my iPhone services. But the theft of the photos raises questions about the protection of information stored beyond a person’s own computer or mobile device.
If celebrities’ photos aren’t safe, then whose are? Some key questions and answers about information that is stored remotely:
Q: What is the cloud?
A: The cloud is a way of storing photos, documents, email and other data on faraway machines. Amazon, Apple, Google and Microsoft all offer cloud-based storage. Smaller companies like Dropbox and Evernote do, too.
The practice saves space on computers, smartphones and tablets and allows users to access the same information from any device. And if you lose your phone, for example, you don’t lose your vacation pictures. The drawback is that you are putting your information somewhere else, so you run the risk of a hacking attack on those systems and accounts.
Q: Is it secure?
A: For the most part, yes. Companies invest a lot to ensure that customers’ private information stays private. “The short answer is the cloud is often more secure than other storage,” says Rich Mogull, CEO of security research and advisory firm Securosis.
But that doesn’t mean the system can’t be compromised. “There are a lot of attackers who have a lot of time,” Mogull says.
Q: How can individuals make their data more secure?
A: You need passwords to access your accounts, so choosing a strong one is important.
Tim Bajarin, an analyst at technology research firm Creative Strategies, recommends having different passwords for each account you hold online, so a breach in one system won’t compromise another. It is also important to have a number and punctuation mark in each password or a creative spelling of a word to make it harder to guess. Also, avoid using common words or notable birthdays as passwords. A strong password is particularly important if you store sensitive information online.
Another way to make your information harder to hack is called multi-factor, or two-step, identification. That means the first time you log onto an account from a new device, you are asked for a second form of identification. Usually, that involves getting sent a code as a text on your phone or an email. A hacker who has your password would still need physical possession of your phone to get the text.
Most major cloud services, including Apple’s iCloud, Google Drive and Dropbox, offer this kind of protection. Amazon’s Cloud Drive is the notable exception. But you usually have to turn this on.
Apple is urging its users to switch to stronger passwords and to enable the two-step authentication feature in the aftermath of the celebrity hacking attacks.
Q: How can I tell if my phone or computer is uploading information to the cloud?
A: You had to have signed up and agreed to the cloud services’ terms, but that might have happened long ago, as you were setting up your device. If you are not sure if you have opted in, check your phone’s settings.
With iPhone photos, for instance, if you have Photo Stream turned on, that means you are storing your photos on iCloud. Check your settings under iCloud. On Android phones, check the Auto Backup settings under Google+ in Google settings.
Q: Is my financial information at risk?
A: Yes, if you use the same password for online banking that you do for other sites, and if you don’t have multi-factor identification on your banking website.
But generally, financial information is among the most protected online. Information is encrypted, or scrambled, in transit. You can tell if a site does that if you see “https” rather than “http” before the website address.
Q: Will my photos and other information remain on the cloud even after I delete them?
A: They should not. Settings vary for different cloud services, but most of them delete information from the cloud when you delete something from your phone or computer, at least once the device has had a chance to sync with the online service.
You can check online, however. All the cloud storage providers have websites you can sign into to check out what information is being stored.
“If you want that extra feeling of being safe, make sure it’s deleted online,” says technology analyst Patrick Moorhead of Moor Insights &Strategy.
Q: How do I opt out of cloud storage?
A: Check your phone or computer settings if you don’t want your photos and documents stored online. There are other ways to store information, including using an external hard drive or your device’s own storage.
“If you really want to be safe, keep confidential information off your service provider and back it up to an external hard drive the old-fashioned way,” Gartner analyst Avivah Litan says.