Remember Celebgate? Also known as “The Fappening”?
Of course you do.
It was the hack which saw intimate private pictures of a number of female celebrities like Jennifer Lawrence and Kate Upton published on the net for anyone to see.
Last month, Andrew Helton, 29, of Portland, Oregon, pleaded guilty to his involvement in a phishing campaign that helped him break into 363 iCloud and Google email accounts.
And this week, 36-year-old Ryan Collins, of Lancaster, Pennsylvania, has said he will plead guilty for his part in the hacking of the celebrity email accounts.
Here is part of the press release issued by the authorities about Collins’s plea bargain:
According to his plea agreement, from March 2011 to May 2013, Helton engaged in a phishing scheme to obtain usernames and passwords for his victims. He sent e-mails to victims that appeared to be from Apple or Google and asked victims to “verify” their accounts by clicking on a link. Once the victims clicked on the link, they were taken to a malicious website that looked like an Apple or Google login page. When the victims entered usernames and passwords on the malicious website, Helton then had access to the victims’ e-mail accounts.
As a result of his scheme, Helton obtained approximately 448 usernames and passwords for approximately 363 e-mail accounts. Helton used this information to access and view the contents of the e-mail accounts.
Many of Helton’s victims were members of the entertainment industry in Los Angeles. By illegally accessing the e-mail accounts, Helton obtained 161 sexually explicit, nude and/or partially nude images of approximately 13 victims, some of whom were celebrities.
You shouldn’t be surprised that a simple phishing email was at the heart of the attack against the starlets. If there had been a catastrophic security hole in iCloud, then chances are that we would have seen much more serious data being stolen by hackers than a few hundred naked photos of female celebrities.
The truth is that phishing is a remarkably successful method of attack. Individuals and even companies are tricked into making bad decisions by carefully-crafted email messages… with damaging consequences.
And it’s no surprise that those doing the phishing were targeting the email accounts of celebrities. Your email account is really at the heart of your online identity, tied to many of your online accounts and used for password resets.
But more than that, your email account also has an address book. That means that if someone wanted to target others in your industry circle or social sphere then they now have their email addresses…
Which perhaps helps to explain how quite so many female celebrities (who you would normally expect to keep their personal email addresses pretty private) were hit by the Celebgate nude photo hack.
In short, your email account is important to defend. If there is one lesson that we *all* can learn from this case, it’s that we should harden the security of our online accounts.
Your Gmail account, your iCloud account, and many many others can be defended with two factor authentication or two-step verification methods that will demand that you don’t just enter a username and password (which you have just handed to a phishing criminal), but also a PIN code that changes every 30 seconds and that – hopefully – only you will know.
Watch my video to learn more:
Stay safe folks, and, if available, always enable two-factor authentication on online services.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.