Thousands of Boudoir Galleries Hacked, Private Client Galleries Revealed

Thousands of Boudoir Galleries Hacked, Private Client Galleries Revealed

Recently, a huge string of hackers were exposed for getting into private boudoir galleries and downloading images of nude models and clients directly from the photographer’s websites. Some of these people were using them for personal pleasure, as ransom to get money from the model/client, and many more other disgusting things. I reached out to Erin from Erin Watson Photography, who was one of the targets of the group of hackers. She gave us more insight into what happened so we could see what could be done to prevent situations like this from occuring again.

About a month ago, Erin received a huge spike in views on her Zenfolio hosted website. A lot of the views were specific to her boudoir galleries. Concerned, she emailed Zenfolio and got a response that the only thing to do was change her passwords. She did that and then the traffic actually went back to normal. Maybe it was the change of passwords or maybe they gave up because they could not actually access her galleries. Erin says she really did not think much about the spike in traffic until a few nights ago when she, along with a handful of other boudoir photographers, received a message that said the following.

“A very kind photographer just alerted me to a group of hackers trying to get into my boudoir galleries. Nothing was compromised, and I just shut everything off to be extra safe, but I just spent awhile reading the message boards of these guys, and they have hacked literally thousands of photographers' galleries. Thousands! Mostly (they got hacked) because SO MANY photographers used "boudoir" or the client's first name for the password. If you are a boudoir photographer, LOCK YOUR PHOTOS DOWN, and do so using a word that isn't obvious or easy to figure out. Also, make sure you password protect a gallery before uploading photos into it. Some of these guys follow the SmugMug and Zenfolio RSS feeds and get into the galleries while the images are being uploaded, before passwords have been added.”

The last thing anyone wants is for their client to be exposed. To get a perspective of how one might feel I asked a few questions to Erin, who was kind enough to answer them and give some more views into what was going on.

Q. Erin, how did you initially find out about the people trying to hack boudoir galleries?
“I first saw it posted in one of the boudoir groups on Facebook, then shortly after, another photographer messaged me (as seen above). This whole thing is a mess though. I will say I’ve really been impressed by the community. I’ve gotten 4 separate messages from other photographers I didn’t know who also notified me about it”

Q. What was your initial reaction to hearing about what was going on?
“I had mixed emotions.  I’m disappointed to find out there is a community out there that is doing this and also that it took almost two years to find out that it was happening.  I think it’s quite eye-opening for many photographers to realize that their clients’ images weren’t as safe as they assumed.  The silver lining though is that I’m impressed by the community for reaching out to others and trying to help each other out.”

Q. Now that you know what is going on, are you doing anything new to prevent any chances of someone actually making it into your galleries compared to before?
I already keep a close eye on the activity of my clients’ galleries, which is why I was able to stop anything from happening the first time, but I will be implementing more secure passwords and only keeping galleries open for a short time now. I have seen quiet a few photographers say they are also switching to in person sales only, which I think is a great idea as well!”

Below are some screenshots from a forum the hackers were talking through, found on BrandSmash

BoudoirHackers
HackedBoudior

BrandSmash also published 5 tips to Secure Your Photo Galleries

  1. Meet in person only. Being face to face with your client is one of the most profitable sales tactics. Even if all you are doing is giving your client the digital copies, keeping them on a flashdrive and hand delivering these private boudoir images will keep them offline (on your end) and out of the hands of hackers.
  2. NEVER use names for passwords. The top way that the hackers were getting into the galleries was simply from guessing the passwords. If your password is the first or last name of your client, you are only making it easier for other people to access their photos.
  3. NEVER use password hints on a boudoir gallery. If they couldn’t figure out a topic to guess off of in the first place, creating a hint is only going to help them that much more. Remember, boudoir pictures are not like a senior portrait sessions. They (usually) are not put in frames and sent to grandma to hang on her fridge and most clients want to keep them private.
  4. Use a string of words as the password. Don’t focus on random letters and don’t focus on one word passwords. Create a long string of words instead.
  5. Password protect your backup programs as well. The hackers are not only attempting to get into the gallery, they are also trying to get into Dropbox accounts, copy accounts, and other software. This is a game for them, so they keep trying until they win.

 

Don’t allow these people the opportunity to access your clients’ personal boudoir photos. Lock down the galleries as best as possible and make sure to go the extra mile to lock your backup applications as well. If you are someone who recently took boudoir photos, make sure to pass this on to your photographer so you don’t fall victim to these hackers. Not everyone is lucky enough to have someone like Erin Watson watching over their galleries actively while able to notice out of the ordinary activity and then act on it to prevent anything bad from happening.

What are your thoughts on this article?

(information sourced from BrandSmash and Erin Watson Photography)

John White's picture

John White is a photographer from Northwest Indiana. He specializes in individual portraiture. Outside of photography, John enjoys building websites for fun, doing graphic design, and creating videos. Also, he really loves Iron Man. Follow him on his social media profiles to keep up to date with what he has going on!

Log in or register to post comments
39 Comments

I am more upset at the photographers than the hacker. The internet has matured into something with a life of it's own, and not treating it as such is downright irresponsible. You wouldn't leave your purse/wallet/camera unattended on a bar stool to step outside for a while, and if you did and it was gone when you got back you would probably get more criticism than sympathy.

In photographic terms, you would not deliver an unbound, unsealed set of these kinds of prints to the client's receptionist at work and say "put them in the break room so [Jane] gets them!" I am not saying that I expect photographers to be concerned with cryptographically signed infrastructure or the risk of a particular hosts's salted-hash to rainbow table exploitation, but you are RESPONSIBLE none the less. Pick a good host, and follow some common sense.

Well, speaking as a person in the information security business, I'd say the best option is #1, and NEVER put any of these photos online. Additionally, if possible, never put them on a system that is accessible at all from the Internet. Safest is keep them on a system that does not have direct Internet access at all, not even through a proxy or network translation, but probably few will be able to do that effectively.

Password protecting backups will do you no good unless they are encrypted, and the encryption key protected with a strong passphrase (a la suggestion #4).

I started a general password rant but then deleted it. The above will do.

heh, you mean the "think of a good password, then use it for your Adobe account and every other website you go to" blunder?

Wrong. The most secure option is to never take photos.

or...... drum roll......

shoot film.

Film can get stolen or scanned.

True, but to steal my film you'd have to get past my gate, my dogs, my locked door, 10 rounds of 9MM and know the combination to my safe.

"These pictures are of a really sensitive nature. I better upload every one of them to the internets."

Awesome article John! Photographers should definitely start doing better jobs of protecting their galleries for sure!

Well, In my opinion

1) You never rely on an external provider to host images. Do it on your own website or, better, don't do it online at all.

2) On your personnal compter, ZIP the pictures and protect the archive with a password (yes, you can do that)

3) Backup regularly. I personnaly do a full backup every 6 month which goes into a bank safe. peace of mind for 50$ a year.

Zip or RAR archives with passwords are not at all secure unless you are preventing the average person clicking around on your computer from opening the wrong file. Use a real encryption program like TrueCrypt if you want security. You may want to also incorporate additional error checking and secure copying into your backup system as well incase the single TrueCrypt archive (or zip file) becomes corrupted.

You could use NSA grade encryption and if you use your model's name as the key encryption password, any one of these "hackers" can easily decrypt your file.

Wordpress for the win....

Wordpress only wins if properly configured and updated. Switching to Wordpress won't help one bit with the behaviors described in the article: Setting weak passwords, or not setting passwords at all.

Actually Wordpress with a password protected zip file for nsfw pictures

That's not going to help you if your password is the name of your model.

Who would do a silly thing like that :)

There's another angle here that is darker than most of us understand. Please read this article below about Hunter Moore and the website "Is Anyone Up?". He did more than expose some inappropriate photos, he and his followers targeted young women and used sophisticated means to destroy lives. I mean that literally -- many of their victims lost jobs and friends and some even took their own lives. Getting hacked by these people will not damage your business, it could destroy it ... and the lives of your clients as well.

http://www.xojane.com/it-happened-to-me/charlotte-laws-hunter-moore-erin...

Well thank God he's locked up.

He's locked up but there are two dozen websites that have filled the niche and exist in countries that give zero f*cks about the photos being stolen.

Exactly. There are some seriou scum bags in this world. As photographers we need to make sure our clients are victimized for wanting photos for their loved ones or to celebrate themselves.

These aren't "hackers". These are people who guessed your easy password.

Sorry.. I was going to go with "amateur password guessers" but it didn't really make the article read well. I figure hacker ("a person who secretly gets access to a computer system in order to get information, cause damage" - Merriam Webster) was close enough in terms to fit. ¯_(ツ)_/¯

But in reality, the goal was to open up peoples eyes to be more careful with their galleries and pay more attention. Even though it seems obvious to put difficult passwords or take the images off the web and do in person sales etc..., some photographers are not doing this and those are the ones this article was targeted too and I really hope it at least makes 1 person take that extra step to protect their images. Hopefully you find some of my future posts more fitting to you. Thanks :)

It's good that you've pointed this out, but at the core is just bad judgement when it came to password protecting.

Playing along with your condescendant answer, I think the term hacker should be given to a person that does this kind of things all the time or as a profession or custom, and I don't think you know these people do it all the time or not. You only wanted an alarming title for your article, you could have well written something like "Weak passwords reveal budoir pictures". Infering that "a huge string of hackers" were doing this reflects a way different subject, so I think you shouldn't be so smart ass about it. Just my opinion.

Sorry to say but naïve people has not much fun in internet. The sad true is that there are a lot of as*#$es trying to damage innocents.
By the way I was one of them (the naïve ones), someone tried to ruin my personal life attacking my internet life. Since then I take the security in internet seriously. That's social intelligence, the weakness is in the attacked person (dumb passwords) not in the security system.

As a professional Photographer and Information Security specialist I can tell you I have spent years securing Fortune 50 companies and their data. The weakest like is always going to be the user, followed closely by the lack proper security protocols and proceedures. The suggestions several others had here are also valid. Never put anything on the Internet you do not want anyone to access is probably the best. Using the 'cloud' or online offsite hosting to servers you do not own is also a huge risk. If you shoot sensitive subjects, invest in hiring a qualified security professional for an analysis of your data security and have regular reviews of those systems.

Admin replying in regards to the issue:

http://www.thevoyeurforum.com/discuss-voyeur-techniques/13813-all-you-bo...

"Nobody hacked your goddamn galleries you tools! I don't allow hacking here.

And the thread is deleted, so please stop crying. There are probably a
100 places where people are guessing your passwords because they are so
extremely easy an 8 year old could get access. Get a clue!

Change your passwords to something else than "love" or "princess" or your frigging name!"

Finally someone tells it like it is....

"Use a string of words as the password. Don’t focus on random letters and don’t focus on one word passwords. Create a long string of words instead."

This has actually been disproven multiple times. Here's one article on how passwords are actually hacked:

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-ou...

Nice article Kyle! I actually posted that after seeing BrandSmash's link to this article which stated the opposite. Both make good points though. http://lifehacker.com/5796816/why-multiword-phrases-make-more-secure-pas...

Sometimes is very easy and you don't have to be a hacker to do that kind of stuff. Some simple things like an .htaccess or even a dumb index.html can save the privacy of your work and clients.

For Zenfolio users, I've found that creating the new gallery, then making it private / pw protected - and then changing the default name to a easy to remember URL (then adding pics) is a decent way to have some security over the url itself becoming publicly discover-able. I use this for generic portrait shoots.

For anything NSFW, I make the client register as a user on my site - then give only them access to their folder (access control / edit / "Allow access to these registered Zenfolio users only"). That way - even if someone does manage to determine the URL (which does not include the clients name) they then need to guess the clients username and password to get into the pics.

Still not foolproof - but the best compromise I've come across between letting the client have access and locking them down to everyone else as much as possible.

I always try to meet my clients face to face to give them a USB drive with my logo and their photos, it also it gives me an opportunity to try to rebook them for a Christmas Card of Valentines day shoot.

Did anyone notify the clients that their images may have been compromised by unauthorized people? The victims here are not the photographers, but the people in the photos.

Good topic = but these were not hackers. Hackers will get assess to your galleries no matter what if they really want to- and websites such zenfolio, flicker and others just don't have much of security against such attacks. But this is def a good topic to discuss with your clients.

I had my boudoir gallery hacked and it was one of the most infuriating experiences of my life. My photographer, bless her heart (I really do love her), used my full name on the gallery, so once the hacker found it and guessed my password, it was super easy for the creep to find me as well. As a photographer, I was less humiliated (because I think he thought his power came from the assumption that I'd be ashamed if anyone found out I'd had a boudoir session done FOR MY HUSBAND) and more angry at the invasion of privacy, and mad that someone would take something pure and try to turn it into a weapon against me. I don't know how many other photographers' clients have actually been blackmailed/extorted in this situation, but yeah, my first call was to the police. Not something to mess around with.

Don't want them "hacked" or ripped? Don't place them on the web.

A flash drive is $4.00 on a bad day. People should be just proofing these and deciding.. It should go from small jpeg to flash.. and paper.

I found this after receiving an email from SmugMug about failed attempts. What I find funny is that the galleries they are trying for are not paying clients but models. I have the IP addresses.