In 2014 nude photos of as many as one hundred celebrities including Jennifer Lawrence, Kate Upton, Kirsten Dunst and Hope Solo turned up online on websites such as Reddit.com and 4chan.org. The photos were taken from both the Apple’s iCloud accounts of the hacked celebrities as well as their email accounts. The hacker, a 29 year old self-described “computer nerd” named Edward Majerczyk pleaded guilty to one count of unauthorized access to a protected computer to obtain information and was sentenced earlier this week to nine months in prison.
The manner by which Majerczyk accomplished the hacking was simple, but effective. He sent spear phishing emails to his intended victims that appeared to come from Apple or Google security in which, under various pretenses, he requested the victims’ usernames and passwords, which he then used to access their email accounts and iCloud accounts from which he stole the photos and videos.
Using a similar tactic, Ryan Collins hacked 600 celebrities thereby obtaining nude photos, as well. He was convicted and sentenced to eighteen months in prison.
There are a number of lessons to be learned from this crime about how to protect our own security. It is important to resist providing your username and passwords in response to emails and text messages unless you have absolutely and independently confirmed that the request is legitimate, which such requests seldom are. If you have any concern that such a request might be legitimate, merely call the real company to confirm the legitimacy of the communication. Also, take advantage of the dual-factor identification protocols offered by Apple and many others. With dual-factor identification, your password is only the starting point for accessing your account. After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account. In some instances, the companies will only send the code to you if your account is being accessed from a different device than you usually use to access your accounts. Had Jennifer Lawrence and the other hacked celebrities used dual-factor identification, they would still have their privacy. It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be accurate. Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones. However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.