Exposed Celebrities – Cloud Security Edition


While most of America was 3 or 4 hot dogs into an outstanding Labor Day weekend, a few other individuals were working out how to access other people’s photos stored in Apple’s iCloud.  They succeeded, and promptly begin to advertise the existence of nude photos of various celebs they were now in possession of.  Which of course made the news.

I tend to glaze over the minute I hear “celebrity news” too, but stay with me for just a minute on this one.  To me, the big news isn’t the celebrity part, it’s that we keep forgetting that the “cloud” is really just someone else’s computer.  These computers aren’t magical, just running special services that enable all kinds of cool things, like constant over the air backups of your phone.

In this case, the attackers took advantage of a misconfiguration in the iCloud service that let them try big lists of potential passwords and usernames to find some matches.   And it worked.   An account lockout after a certain number of failed attempts, or using a two factor authentication would have prevented the attackers from gaining access.


Everyone who has an iPhone is a (potential) iCloud user.  Its possible to disable it altogether, but my guess is very very few folks ever do.  It’s so easy and convenient, and ensures you’ll always have access to your phone’s backup in case you need it.  This applies to Google if you’re an Android user, and Microsoft’s OneDrive if a Microsoft user.  We’ll never have control over these services, so perhaps we need to just adopt some new guidelines on using them.

1. Don’t take pictures you wouldn’t mind the whole world seeing.

2. Don’t use a simple password for your account.*

3. Enable 2-factor authentication whenever possible.

4. Don’t take pictures you wouldn’t mind the whole world seeing.

*Apple’s guide to enabling 2-factor authentication for iCloud is available here.

I’m reminded of an old analogy about email: Treat it like a postcard.  When a postcard goes through the mail, it is readable at every point of delivery.  If you need to keep something secret, send it a different way.  The same thing can apply to cloud services.  Leverage the benefits, but beware the risks.  If you do need to store some sensitive info, make sure you think carefully about where it should go.

Thanks for reading, and stay safe out there!


Leave a Reply