Whether you chose to call it “Celebgate” or refer to it by the rather crude moniker of “The Fappening”, there’s no doubt that the leaking on the internet of private nude photographs of dozens of Hollywood stars was one of the biggest stories of 2014.
At least 50 celebrity Apple iCloud accounts and 72 Gmail inboxes were broken into by 36-year old Ryan Collins, from Lancaster, Pennsylvania, whose victims included Jennifer Lawrence, Kirsten Dunst, Avril Lavigne, Kate Hudson, and Rihanna.
So how did Collins do it? Well, he simply tricked celebrities and their acquaintances and staff into coughing up their email passwords, by sending them emails that appeared to come from Apple or Google.
Collins was also able, in some instances, to use custom software to download the entire iCloud backups of his victims in his quest for nude photographs.
This meant that even if celebrities had not shared their private intimate snaps via email, Collins was able to extract it from their iPhone’s online backup.
And, of course, unlocking the email account of one celebrity inevitably reveals the contact details of other celebrities – opening opportunities for further attacks.
In a statement issued earlier this year, FBI assistant director David Bowdlich described some of the distress that Collins’ victims must have felt:
By illegally accessing intimate details of his victims’ personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity. We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information.”
Interestingly, there is no evidence to suggest that Collins was the person who actually leaked the photographs onto the internet, causing such a commotion. Instead, it appears that Collins was quite content phishing celebrities, and adding to his personal collection of nude photos from November 2012 until September 2014 when “The Fappening” occurred.
One of the victims, Hollywood star Jennifer Lawrence, was blunt in her opinions of the sites which chose to share the stolen photographs with their visitors:
“It is not a scandal. It is a sex crime. It is a sexual violation. It’s disgusting. The law needs to be changed, and we need to change. That’s why these Web sites are responsible. Just the fact that somebody can be sexually exploited and violated, and the first thought that crosses somebody’s mind is to make a profit from it. It’s so beyond me. I just can’t imagine being that detached from humanity.”
And now, Collins has been sent to prison for 18 months, leaving a wife and two young children without their father. Things could have been much worse for Collins and his family – if he had not agreed to a plea bargain with the authorities, it’s possible that he could have been sentenced to the maximum of five years in prison.
In all, the authorities identified over 600 victims of Ryan Collins including many members of the entertainment industry.
And it would be a brave person who bet money that a similar attack couldn’t happen in future, as we all know how easy it can be to trick people into unwittingly revealing their password through a carefully constructed phishing email.
Let’s hope that all of the stars exposed by “Celebgate” have learnt the valuable lesson of enabling multi-factor authentication to provide an additional layer of protection on their online accounts, and that regular civilians have also wised up that you should be protecting your online accounts with more than just a password.
I would advise all internet users to enable two step verification or two factor authentication on their accounts whenever available to increase their security.
The great thing about two-step verification and two-factor authentication is that it can help protect your data, even if your password is stolen by a criminal.
by Graham Cluley, ESET We Live Security