The lesson we all must learn from the Celebgate nude photo hack

And it isn’t about not taking naked pictures of yourself…

Jennifer lawrence

Remember Celebgate? Also known as “The Fappening”?

Of course you do.

It was the hack which saw intimate private pictures of a number of female celebrities like Jennifer Lawrence and Kate Upton published on the net for anyone to see.

Sign up to our free newsletter.
Security news, advice, and tips.

Last month, Andrew Helton, 29, of Portland, Oregon, pleaded guilty to his involvement in a phishing campaign that helped him break into 363 iCloud and Google email accounts.

And this week, 36-year-old Ryan Collins, of Lancaster, Pennsylvania, has said he will plead guilty for his part in the hacking of the celebrity email accounts.

Here is part of the press release issued by the authorities about Collins’s plea bargain:

According to his plea agreement, from March 2011 to May 2013, Helton engaged in a phishing scheme to obtain usernames and passwords for his victims. He sent e-mails to victims that appeared to be from Apple or Google and asked victims to “verify” their accounts by clicking on a link. Once the victims clicked on the link, they were taken to a malicious website that looked like an Apple or Google login page. When the victims entered usernames and passwords on the malicious website, Helton then had access to the victims’ e-mail accounts.

As a result of his scheme, Helton obtained approximately 448 usernames and passwords for approximately 363 e-mail accounts. Helton used this information to access and view the contents of the e-mail accounts.

Many of Helton’s victims were members of the entertainment industry in Los Angeles. By illegally accessing the e-mail accounts, Helton obtained 161 sexually explicit, nude and/or partially nude images of approximately 13 victims, some of whom were celebrities.

You shouldn’t be surprised that a simple phishing email was at the heart of the attack against the starlets. If there had been a catastrophic security hole in iCloud, then chances are that we would have seen much more serious data being stolen by hackers than a few hundred naked photos of female celebrities.

The truth is that phishing is a remarkably successful method of attack. Individuals and even companies are tricked into making bad decisions by carefully-crafted email messages… with damaging consequences.

And it’s no surprise that those doing the phishing were targeting the email accounts of celebrities. Your email account is really at the heart of your online identity, tied to many of your online accounts and used for password resets.

But more than that, your email account also has an address book. That means that if someone wanted to target others in your industry circle or social sphere then they now have their email addresses…

Which perhaps helps to explain how quite so many female celebrities (who you would normally expect to keep their personal email addresses pretty private) were hit by the Celebgate nude photo hack.

In short, your email account is important to defend. If there is one lesson that we *all* can learn from this case, it’s that we should harden the security of our online accounts.

Your Gmail account, your iCloud account, and many many others can be defended with two factor authentication or two-step verification methods that will demand that you don’t just enter a username and password (which you have just handed to a phishing criminal), but also a PIN code that changes every 30 seconds and that – hopefully – only you will know.

Watch my video to learn more:

Geek secrets: Better security than passwords alone | Graham Cluley

Stay safe folks, and, if available, always enable two-factor authentication on online services.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.