How to make sure nobody steals your naked selfies

It has been a bad week for Jennifer Lawrence and the other celebrities whose personal photographs were posted online. It’s time we all stepped up our security

Thanks for nothing: hackers leaked a nude photograph of the Oscar-winning actor Jennifer Lawrence. Photograph: Kevin Winter/WireImage/Getty
Thanks for nothing: hackers leaked a nude photograph of the Oscar-winning actor Jennifer Lawrence. Photograph: Kevin Winter/WireImage/Getty

What are the passwords for your email, Twitter and Facebook accounts? Are they the same or different? If you're like most people they're probably variations on your birthday, the place where you were born, the name of your first pet, the name of your first boyfriend or girlfriend, or your mother's maiden name. Most of us use these because we're not meant to write down our passwords; something personal is easy to remember.

Which is fine. Unless you’re a celebrity. The voracious public appetite for celebrity culture means that many of the details of their lives are freely available online. There are lengthy and detailed biographies on Wikipedia and fan sites; you wouldn’t need to be a cybercriminal mastermind to have a stab at a celebrity’s personal password.

This week intimate photographs of dozens of celebrities were posted to the online image-based bulletin board 4chan. The Oscar-winning actor Jennifer Lawrence has confirmed that a leaked topless photograph of her was real.

On Wednesday Apple confirmed that some famous people’s iCloud accounts were broken into, but the company says it found no evidence that this was caused by a breach of its security systems. “After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,” it said.

READ MORE

Internet-security experts now believe the photographs were stolen from the victims’ iCloud accounts by people who simply scoured the web for personal information about them, then used it to guess a password or the answer to a security question that would give access to the account.

As I write I’m looking at Lawrence’s Wikipedia page. I can see her date of birth, her middle name, the city and state where she was born, her mother’s maiden name and occupation, her father’s name and occupation, the names of her older brothers, the name of her school and even her grade average there. And Lawrence’s page is relatively short compared with those of other famous actors.

If you have somebody’s personal email address it’s even easier. Some celebrities have a trusted journalist who will write about them, to help build their profiles, in exchange for exclusive news about the stars. But journalists often share information, sometimes trading it for other information, or it leaks out by mistake, through carelessness or perhaps even through drunken boasting.

Nude photographs may not be the end of this. One security expert, Nik Cubrilovic, warns that other personal information, such as text messages, address books, call logs and any other data typically stored in the cloud, can also be easily hacked.

Apart from strengthening your password, all iCloud users need to look at the answers they provided for the “secret” iCloud questions that allow you (or a hacker) to reset your password without even knowing your original password.

This week a journalist at the Washington Post, Caitlin Dewey, showed how easy it is to reset someone's iCloud password if that person is a good friend or family member. She wanted to get into her brother's account, so, not knowing his password, she asked Apple to send her his "secret" questions. She was asked for her brother's Apple ID (typically the user's primary email address), his date of birth, the city where his parents met, and his childhood nickname. All easy questions for a sibling to answer.

She got into her brother’s iCloud within a few minutes; then she could do what she wanted with his personal information, including buying music and apps on his account. To get into his Gmail account all she had to provide was the approximate date her brother opened the account, the names of some frequently emailed contacts and their father’s middle name.

Apart from advising users to change all their “secret” questions, Apple is urging iCloud users to adopt its “two-step verification” process, which involves, in addition to a password, an access code sent to your mobile phone. Until this week most iCloud users didn’t know it existed. They do now.

Staying safe online: five tips for better security
Rik Ferguson of the internet-security firm Trend Micro has five easy-to-follow tips to help you stay secure online.

1 If an online service you use offers you options to increase your security, enable them. And turn on all two-factor authentications available to you. You have to search for these on each service you use.

2 Do not reuse passwords: use a different password for email, Facebook, Twitter and so on.

3 If you have to use a security or "private" question, make sure that you and you only – not your friends or family – know the answer.

4 Deleted may not always mean deleted: erasing photographs from your mobile phone doesn't mean they're gone – they're probably still on backup files and in the cloud.

5 Stop taking naked photos of yourself.