It seems that on February 7th, and ongoing through the end of last night people were trolling Smugmug and Zenfolio for all those naughty boudoir pictures that people have been taking and putting behind a password. The good part is that the link was taken down at the site collecting them, and the admin of the site was being pretty cool about it even if it is a voyeur web site. It was pretty easy to find with all the traffic going on about how this was happening.
Really your stuff wasn’t hacked, it was more using an automated scraper to find anything with the word nude in the title, then a quick automated check to see if you were using any one of the 100 most commonly used passwords for the gallery.
So if you used a name or the password password you can pretty much so figure out that someone saw the pictures who is not the client you were taking pictures of at the time. So nope, not really hacking, more like some pretty effective social engineering and those are two things in my mind. My adventure with this started last night when one of the most impressive smugmug support heroes gave me a quick shout that someone was trying to guess the password to a gallery I posted a year ago, I am kind of flattered that they would try this, and I am guilty of using password hints up through this morning when I reset all the passwords on my protected galleries. I am also thankful that really nothing got to where it should not have gone because I use at least some sort of password security, and now the hint shows the old password when the password has changed just because I want to be a jerk about all this.
From there it was a quick dive through my Smugmug Organizer and resetting about 2 dozen passwords, then going on a hunt, while I am a photographer by hobby, I am a computer security person by trade, so this was a great way to exercise just a few of my skills this morning. But you might want to keep an eye out on your traffic levels, looking for anything unusual, and if you have a pop on a password protected gallery, change the password on it. This one will come around again, now that people know to do this, hey there it is.
Geolocate the IP Addresses, Smugmug will do that for you, check your referrers too if you allowed embedding along the way. Smugmug recommends setting the password before uploading, that way it does not get slurped into the RSS feed of smugmug while you are uploading, don’t use the same password, and for the love of all that you believe in don’t use an easily guessed password. Don’t use password hints, turn off Right Click Save As, and one site recommended not to post them online at all, meet up with the client and hand them a CD of their pictures. Of course that won’t matter if your computer gets hacked, but that is also a risk we face in this day and age.
SLRLounge also has some good advice to follow along the way as well.
So check your stuff out today, don’t wait, while the main thread is down at the creeper site (voyeur site), it does not mean that this won’t happen again, you might as well take good steps now to secure your stuff. And keep your clients from showing up in places they didn’t think they would show up in. There is nothing quite so much as to ruin your day as having a client ask you why their pictures are all over a porn site.