Nude celebrity photo hack: How safe is your data in cloud storage?

Nude photos of dozens of celebrities, presumably stolen from cloud storage services, started appearing online Sunday night. Here's how the rest of us can keep personal data safe.

Internet users browse their Facebook website by the free wifi internet service in an underground station in Hong Kong. The release of nude photographs of dozens of celebrities, including Jennifer Lawrence, Sunday has exposed the vulnerabilities of cloud storage.

Kin Cheung/AP/File

September 2, 2014

The leaking of nude celebrity photographs stored in the “cloud” over the weekend appears to have laid bare the inherent insecurity of virtual data storage.

Nude images of Jennifer Lawrence and several other celebrities began appearing online Sunday night. An anonymous hacker claims to have accessed the Apple iCloud accounts of 100 celebrities. Apple Inc. has yet to confirm that any iCloud accounts have been tampered with.

The Federal Bureau of Investigation is investigating the matter.

Why many in Ukraine oppose a ‘land for peace’ formula to end the war

Perhaps coincidentally, a day before the private photographs began appearing online, hackers uploaded to the code-hosting site GitHub a roadmap for would-be hackers to exploit a vulnerability in Find My iPhone security protocols, ZDNet reports. The vulnerability allowed infiltrators how to subvert login security features that typically shut out infiltrators after just a few failed login attempts, enabling them to flood the login system with thousands of possible password in hopes of hitting the right one.

Apple has since patched that loophole, but the incident illustrates how unforeseen back doors to online storage services can open the gates to private data.

"It is important for celebrities and the general public to remember that images and data no longer just reside on the device that captured it," security researcher Ken Westin wrote in a blog post Monday. "Once images and other data are uploaded to the cloud, it becomes much more difficult to control who has access to it, even if we think it is private."

More than 300 million people around the world store files, photographs, and other data on cloud servers, according to CBS New York.

“I think there are a lot of folks, especially celebrities, [who] don’t take their information security seriously,” cloud security expert Jeff Schilling told CBS.

In the race to attract students, historically Black colleges sprint out front

While photos of average citizens typically don’t carry quite the price tag that those of celebrities do, there are plenty of reasons that individuals may want to protect their images.

In recent years, reports of employers passing over job applicants, rescinding offers, and even firing employees as a result of compromising photographs appearing on social media have been steadily increasing. While many users have become more savvy about what images of themselves they choose to post online, they may not realize that photos that they believe to be stored securely could be accessed, and subsequently posted, by people wishing to harm their reputations.

Even those that don’t have any compromising pictures may feel squeamish about the idea of hackers accessing their most precious family memories.

“Are you any less secure than you were a month ago? The answer is no,” Patrick Moorhead, president of technology analytics firm Moor Insights & Strategy, told NBC News on Monday.

So what can you do to protect your data?

Perhaps the simplest step that cloud users can take is to add a second layer of authentication similar to that employed by many banking websites.

Both Google and Apple offer multiple-layer verification features. They aren’t default settings, so users have to search for them.

Apple’s two-step verification system tethers an Apple ID to a specific device, most commonly a cell phone. Any time a user with activated two-step verification makes any changes to their Apple ID account, Apple sends a four digit verification code to the specified device as a secondary password. This feature means that even if hackers crack a user’s password, they can’t make blanket changes to the account. It won’t keep hackers out entirely, but it will prevent them from locking the verified user out of their own account.

Google offers a similar feature for its suite of services including Google Drive, Gmail, and Google+.

The weblog The Social Customer Manifesto offers instructions for implementing two-tier verification on 50 popular websites.

Material from The Associated Press was used in this report.