Celebrities may be better-looking, more talented and more famous than you, but the trade-off is that they’re ridiculously easy to hack.
That’s because we know just about everything there is to know about famous people, including Oscar-winner Jennifer Lawrence and the 100 or so other female celebs whose nude photos were leaked by hackers over the weekend.
The problem stems from the security questions that websites ask you to answer when you’ve forgotten your password. Consider some of the default questions for Apple’s iCloud, a storage service that was the alleged source of the nude photos: What was your childhood nickname? Who was your best friend in high school? And when is your birthday?
Though we put a lot of ourselves out there on the Internet, strangers could not easily answer all those questions about an ordinary person. But a simple Google search reveals Lawrence’s childhood nickname (“Nitro”), her best friends growing up and her birthday (Aug. 15, 1990).
“So many online accounts like iCloud are based on pieces of information like where you were born or what year you went to school that are relatively easy to gather,” said Michael Gregg, chief executive of Superior Solutions, a computer security consulting firm. “For celebrities, there’s a huge amount of information already out there.”
In a statement on Tuesday, Apple said that individual celebrity accounts had been compromised but not the iCloud system as a whole.
“We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,” the company’s statement read. “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”
On Monday, the FBI said it was investigating the leak of the celebrity photos.
While it remains unclear in this case how the photos were stolen, hackers have often managed to expose the secret lives of celebrities and politicians by guessing the answers to their security questions.
In 2008, college student David Kernell hacked then-Alaska Gov. Sarah Palin’s email account by finding the answers to her security questions — like the fact that she met her husband in high school — via Google search. In 2010, Kernell was sentenced to a year in prison.
Also in 2010, Christopher Chaney, 35, hacked the email accounts of about 50 celebrities — including actress Scarlett Johansson and pop singer Christina Aguilera — by using publicly available information to guess the answers to their security questions. He then posted nude photos of Johansson that surfaced on celebrity websites. In 2012, Chaney was sentenced to 10 years in prison.
And last year, hackers exposed the financial records and personal information of several famous individuals — including former Secretary of State Hillary Clinton and celebrity Kim Kardashian — by stealing their credit reports. How the hackers stole the reports is still unknown. But credit agencies issue a series of three or four multiple-choice security questions the answers to which can be guessed, “especially if that guessing is assisted by ferreting out biographical details from social networking accounts, public records, or in the case of celebs, news coverage,” Forbes noted at the time.
While figuring out the answers may be easy, sometimes hackers don’t even need to do that. When hackers broke into Wired writer Matt Honan’s Apple account in 2012, Apple’s tech support gave them a temporary password — even though they weren’t able to answer his security questions. The episode prompted The Atlantic to call security questions “the biggest joke in online identity verification.”
Celebrities face other online security challenges as well. They’re bigger targets because their nude photos are valuable in underground forums or to gossip websites. Some hackers try to leak intimate photos of celebrities to show off their hacking prowess. And the famous often have personal assistants who manage their accounts and know their passwords.
Gregg, the computer security expert, said the latest hack of celebrities’ accounts could likely have been avoided if the celebrities had used a security feature called two-factor authentication, which requires them to enter a PIN code sent to their phones when they log in to their accounts. That would make it harder for hackers because they also would need access to their victims’ phones.