Kim Kardashian, Vanessa Hudgens, et al. targeted in latest naked celebrity photo leak

Celebgate redux: Alleged nudies of Kim Kardashian, Vanessa Hudgens et al. doxed

Image of Kim Kardashian, courtesy of Wikimedia CommonsEarly on Saturday morning, Celebgate flooded the same sites as it did three weeks ago – 4Chan and Reddit, among others – as cybercrooks again posted nude photos allegedly of celebrities including Kim Kardashian, Vanessa Hudgens, and US soccer goalie Hope Solo…

…and of Hayden Panettiere, and Kaley Cuoco, and Mary-Kate Olsen, and Leelee Sobieski, and Aubrey Plaza, and more as yet unseen photos of Jennifer Lawrence, and … well, the list, unfortunately, goes on.

Celebgate first broke earlier this month, when stolen photos of 100 celebrities were published online.

Jennifer Lawrence’s publicist stated at the time that authorities would prosecute anyone publishing her stolen images.

Nude photos of American gymnast McKayla Maroney, reportedly taken when she was underage, were part of the first batch of stolen photos, making the legal quagmire for sites publishing the photos ever more acute, with the addition of potential prosecutions for publishing naked photos of children.

From the beginning, the FBI has been investigating.

But this new set of photos points to the possibility that the responsible party – somebody who calls himself a “collector” as opposed to the party/parties who obtained the photos, many from iCloud users, by means that reportedly included phishing and brute-force password guessing – could still be up and running the sewage spill.

In this scuffle of threatened lawsuits, potential prosecution for publishing naked underage photographs, and attention from the FBI, sites clamped down on the photo sharing.

For its part, 4chan changed its policy to stipulate that it would comply with the Digital Millennium Copyright Act (DMCA), which allows content owners to get illegally shared material removed.

Reddit, which had nearly instantly turned into a buzzing center of activity for sharing the first crop of photos, in violation of its own anti-doxing rules, subsequently banned the subreddits r/TheFappening and r/Fappening.

“Fappening” is a portmanteau of “The Happening” and “fap”, which is internet slang for “masturbate”, trivializing the theft of private content.

With 4chan’s new policy and Reddit’s recommitment to anti-doxing over freewheeling freedom of speech, both sites quickly removed Saturday’s crop of photos.

Given the fact that many of the photos were stolen from iCloud accounts and that the photos all seemed to appear at once, like a job lot, suspicions initially swirled around an attack having come via exploit of an iCloud weakness.

The rumors turned out to be false.

On 2 September, the day after the first batch was leaked, Apple reported that the doxing was the result of iCloud accounts having been compromised with “a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet.”

Easily guessed answers to security questions has been at the heart of account hijacking of multiple celebrities and writers.

That’s how Wired writer Mat Honan and tech columnist David Pogue lost their accounts.

It’s the reason that good security hygiene includes making security question answers as unique and difficult to guess as passwords.

Instead of providing answers to security questions that anybody can find in an easy search (i.e., what’s your date of birth, what’s your mother’s maiden name), you can make up answers.

This is particularly crucial for celebrities, whose private details are often found published in interviews or in their own writing.

For example, Pogue’s written about how much he loves his Prius. One of the security questions he’d filled out prior to his account hijacking was “What’s your favorite car?” D’oh!

One positive outcome of Celebgate’s collateral damage and technology reverberations is that Apple extended its two-step verification (2SV) to iCloud last Wednesday, 17 September.

The move came after security analysts – including Naked Security’s Chester Wisniewski – pointed out that the two-factor authentication Apple had urged users to use in the wake of the doxings didn’t actually apply to iCloud at all.

Unfortunately, as Naked Security’s Paul Ducklin points out, Apple’s stretching the truth a bit when it says that 2SV now “protects all of the data you store and keep up to date with iCloud” when, in fact, it only protects your very first login with a new device.

Apple may have more work to do, but its quick response to the doxing was still a welcome move.

Regardless, the security improvement of iCloud will likely do nothing at all to stem the continuing doxing of nude photos.

Though their initial appearance caused an uproar, the photos were reportedly being passed around privately for at least a couple of weeks before their public release on 31 August, and evidence points to many more unreleased photos and videos being still out there.

Celebrities, we want you, and nonfamous people, of course, to stay safe online.

If you’re not yet using 2SV, please turn it on. Also, check the answers to your security questions.

They should be nonsensical. Pogue’s answer to the question about his favorite car could have been Compost Pudding Tonight, for example. As long as you remember them – you can use a password manager to help you – it doesn’t matter what they are.

Hopefully, if there are any celebrities left whose photos haven’t been doxed, those steps should help keep it that way.

Here are other links that could be useful:

And here’s a short and straight-talking video that not only shows you how to pick a proper password, but also explains why you should bother.

→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.

Image of Kim Kardashian licensed under Creative Commons.