Are Your Photos Safe in the Cloud?

01 September 2014

It’s happened again. Another hack attack. This time aimed at photos that no-one intended to see the light of day. Below are the practical steps you can take to avoid becoming the next target.

How did it start?

An anonymous hacker broadcasted their claims on the popular image boards “4Chan” and “Anon-IB” to have hacked into over 100 Apple iCloud accounts all belonging to celebrities. The method which has been employed to do this has not been confirmed* but there are many methods the hackers could have used, ranging from the exploitation of technological vulnerabilities in the devices or the cloud service itself to the exploitation of human vulnerabilities through the use of phishing techniques to gain access to password details.

Interestingly, the origin of the data is still being disputed, for example in many cases it is claimed that the intimate photos were deleted several months, or even years prior to the leak. Not only this, but iPhone videos are not automatically uploaded to iCloud unless deliberately configured to do so. So unless the holders of the hacked accounts had intentionally set their iPhone to upload videos to their iCloud streaming service, it seems this material could have been obtained from an account with another cloud-based service provider.

Are the services unsecure?

Apple’s encryption system is known to be secure. As long as your passwords are unique and secure, it would be very hard for anyone to intercept your photos and information that you send between your phone and your tablet via Apple’s servers. Dropbox is similarly secure if hackers don’t have your password.

This suggests that the hackers would have had to get full usernames and passwords before they made their attack – they might have stolen them or guessed them, they may have inadvertently been revealed by the account holder following a phishing attack or they may have become available from a previous data breach of another company. However, whilst many organisations invest substantial amounts of money in keeping information secure, data is often only as secure as your password. In this case the question is therefore not how strong the provider’s security is, but rather how safe and strong is your password?

What can you do to keep your data safe?

If you make your password easy for someone to steal, for example by having the same password across different log-ins, you are already at risk. Follow these steps to change that now, particularly if you are already using cloud services or online sharing platforms like Dropbox:

  1. Apple, Google (for Google+ and Gmail) and Dropbox all offer a “Two Factor Authentication” – this means that you will type in your password and then a pin number which is sent to you as a text message, so you need both pieces of information to log in. This is a bit more time consuming but it means that anyone who wanted to hack in would need both pieces of information – so their chances are a lot slimmer.
  2. Change your password – and make it strong. It doesn’t need to be hard to remember, but try to use a combination of letters and numbers and don’t make it anything obvious (like your kids names). Apple already requires passwords which are at least 8 characters long, with a number, and an uppercase letter.
  3. Don’t make it so hard that you have to write it down somewhere or you end up using the same password for everything – this defeats the purpose of making it secure! If one account gets hacked, all your other accounts that use the same email address and password will be at risk too.
  4. Password-protect your devices – your photos and videos might be encrypted on the iCloud server, but they aren’t on your phone!
  5. Turn off the automatic backup service on iCloud/Dropbox/Google/Android/Picasa – they will all have the ability to disable this feature. If you would like step-by-step instructions let us know.

*Apple's update to celebrity photo investigation

Receive our monthly newsletter

About the Author

Joelle Rich

Partner

Joelle specialises in privacy, defamation, private family law and intellectual property rights, with clients ranging from high profile and high-net worth individuals to companies in the financial sphere.

646 934 6219
Our 24 hour number
646 934 6219
Legal information

© 2020 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.


ATTORNEY ADVERTISING