Forum Hacks Boudoir Gallery Passwords. Is Your Site Protected?

Current Events February 6th 2014 5:00 AM 11 Comments

Some people have too much time on their hands. And when those same people also are creepers, we come across disturbing stories such as this one.

The Voyeur Forum was outed yesterday by an anonymous tip to various boudoir photographers that their galleries hosted on Zenfolio and SmugMug accounts had been hacked. This forum had 121 pages of links to boudoir galleries and the cracked passwords to each gallery. It seems that the creepers on this forum are making it a game to hack into boudoir galleries, leer at the photos and then discuss them on this forum.

“This is a great thread! Thanks to everyone for all the work that goes into getting these passwords! I do have to say, I love the ones where they are wearing wedding rings. You know those are most likely being done for the husband, and we were certainly never supposed to see them!!!” – Comment on Forum

(That just made my skin crawl).

HackedBoudior-500x265

Screenshot, Source: Brandsmash

The thread has since been deleted (or so the admin of the site so “eloquently” stated):

Forum-hacking-1This serves as a reality check and reminder for all photographers, not just ones that shoot boudoir, to protect themselves, their clients and their businesses by not making it easy for people to guess the passwords and get into our galleries to access client photos and other private information.

[PRODUCT HIGHLIGHT: Lightroom Workshop Collection v5]

With some common sense Internet practices, your galleries will be better protected in case people with nothing better to do, tries to break into your galleries. Here are some things to consider when making (and changing, I hope) your passwords:

1. Upper Case, Lower Case, Three Numbers and the Fourth Letter of the Greek Alphabet

I’ll admit, in my old age, it’s getting harder and harder to remember the passwords to everything. Especially, with more and more companies forcing us to chose more difficult passwords. It’s annoying and tedious and half the time, I’m pressing the “Forgot My Password” link, but remember, it’s there to protect us.

So, mix up your password. Don’t use proper nouns, personal info such as pet names, dictionary words or foreign words. The best passwords are gibberish, made up of a random mix of upper and lower case letters and random numbers or a string of random words.

2. Don’t Keep Galleries Up Indefinitely

I know it’s a pain to remember to go in and hide the galleries after a while, but a good practice is to give your clients a time limit to choose their photographs and share their links. It might be a good idea to remind your clients to share the links to their galleries and the passwords with caution.

[REWIND:  Cyber Attack on Adobe Compromised 2.9 Million Customers]

3. Change Your Passwords Frequently and Don’t Use the Same Passwords

It’s very easy and painless to keep the same password across the board – from your network passwords to your online banking to maybe all of your pet portrait galleries. But remember, it’s easier to change the passwords every few months and write it down, than it is to deal with someone hacking into your accounts with a simple password like “furrypetprincess.”

4. Use Only Trusted Online Storage Options

This only goes so far as clearly, these hackers broke into sites like SmugMug and Zenfolio, which are reputable sites with great safe guards that help us protect our galleries, but we need to utilize some of them. They have solid password protection, but keep in mind places like Dropbox, Flickr, even your Google Drive and  Costco Photo accounts are also places that they will try to hack into. When looking to store your photos online, make sure the company has practices in place where you can keep your clients photos as secure as possible. There are a few sites that don’t require passwords for their galleries. I’d stay away from those. If your online gallery host allows you to set specific viewing permissions – like assigning passwords or giving only specific people access, you’d be wise to utilize those services.

Conclusion

I’ll admit, I used to be in the “It’s not going to happen to me” mindset. Then, as I hear more and more about people getting their identity stolen, then with the recent Target Credit Card hack and now stuff like this, I want to pull my entire presence off the Internet and go hide in a cave somewhere. The “It’s not gonna happen to me” mindset is dangerous and serves you no protection. Sometimes, sadly, you find out the hard way, that indeed, it may very well happen to you.

I’m off to change all of my passwords now. I hope you’ll do the same.

[Source: Brandsmash/Mike Allebach]
Advertisement
Hanssie

About

Hanssie is a Southern California based wedding and portrait photographer. In her free time, she homeschools, shakes hands and kisses babies for UNDFIND and is the Managing Editor of SLR Lounge. She also blogs about her adventures as a single gal “In The In Between.” Check out her work and her blog at www.hanssietrainor.com. Email her at:
[email protected]

11 Comments

  1. WJP

    I used to do some tech support for soccer moms. One of the things I told all of them is that they shouldn’t put anything online that they didn’t want the entire world to see. Posting such private photos in a gallery online in this world is a big risk that your client may not fully understand. Maybe going a little old skool is the answer. Give them a CD with the photo galleries on it. I know there are CMS options to run a site from a CD. Joomlas2Go comes to mind, but there are other options out there for other CMS systems. If you use a CMS style system, the images would be buried in the database which would protect your intellectual property from infringement from all bu the most technically savvy clients. There would be some risk, but much less risk than the risk that some creeps in a forum would basically release your IP into the public anyway. Just build the buy prints option into the offline site so that the images can be printed and you still have monetized the printing while keeping creeps from hacking your online galleries.

    0
    • Hanssie

      Good tips! I know I bury my head in the sand thinking that it’ll never happen to me, but no more of that. The whole CD option sounds like a pain…but that might be a good option to look into!

      0
  2. Bob

    Passwords should be considered like a toothbrush. Only one person uses it and it gets changed every six months – sooner if it needs it.

    1
    • Hanssie

      That is a GREAT way of looking at it. I spent a ton of time after writing this changing my passwords.

      0
  3. Peter

    A large number of passwords are hacked by creation methods such as the one suggested in point 1 creating passwords people wont remember and then storing it someplace else. http://xkcd.com/936/ suggests a way that produces a far easier to remember password, that is also far more resistant to brute force attacks.

    Another option is to use a password vault that means you only have to remember one of the passwords. Better make sure its a nice secure one and the password is good.

    0
  4. Michelle Ford

    you know what i’ve wished since the beginning .. and i’m a smugmug user. creating an expiration on gallery access. it should be so easy programatically to allow the owner of the gallery to set an expiration date on the password assigned to the gallery. it would eliminate the need to go back after x days to cut access off.

    0
  5. Jason Dries

    I saw this a couple days ago and immediately started emailing some of the photographers. I’m glad it was taken down, but I did read a few of the pages with sites and passwords. Many, many of the galleries were entitled things like, “Boudoir for Michelle” or something along those lines. That said:

    The MOST common passwords were:
    1. The first name of the client.
    2. The last name of the client. This is relatively easy to find, by the way. You find the photographer’s matching Facebook page, find the “teaser” gallery usually posted by the photographer and then look for the first like. The first like is usually the lady in question and there’s her last name and perhaps some info about her.
    3. The first+last name of the client.
    4. The client’s initials.

    This isn’t really hacking in the traditional sense of the word; but more password guessing based on some easy and repetitively successful guessing techniques. Yes, you can unleash a small program to unlock practically any password that doesn’t have a set false entry lockout, but the above mentioned passwords just made it that much easier.

    I don’t do boudoir photos myself, but I’d recommend a different solution to this problem: After your session, have the lady write down a password on the back of your business card. Encourage multiple letter, number and symbol combinations. She then keeps your business card for later use. You copy down the password into your notebook (the one that many of us keep in our photography backpack or setup somewhere…). That way, your business card is taken home and they HAVE to keep it handy if they want into their images.

    The added bonus, besides forcing folks to keep your card handy, is that each person is creating a different and unique password from the last person. This eliminates YOU from thinking of unique passwords. As the author suggested, it gets hard to think of unique stuff again and again and again…..

    0
  6. Christine

    It actually wasn’t an “anonymous” source that broke this news in the boudoir world. It was a boudoir photographer doing a search for herself — and one of her galleries was on the list so it came up in the search. Those of us in the forum with her know exactly who it is, however we aren’t revealing it because of the fact that we don’t want these people coming after her.

    Just because we found one site, doesn’t mean there aren’t hundreds of others out there. Matter of fact, we found a second one tonight. This one isn’t listing URLs & passwords though, it actually has zip files of galleries that they have scraped from sites.

    These days? The safest option is what WJP said – if you don’t want it to be seen, don’t put it online.

    This isn’t just news for photographers — it also applies to senior photographers, children photographers, etc. There are some pervy people out there, and do you really want them looking at your photos? NO.

    0
  7. Christine

    PS — I found another, completely different site last night. With 80+ pages of zip files, free for people to download. Some were porn, some were people’s vacation photos with topless women on European beaches (they “left the boring vacation shots out”), some were from maternity sessions, and lots of professional boudoir. Instead of galleries + passwords, this site was the actual PHOTOS. Unfortunately, because of that – there was no way of identifying who any of the photographers were.

    Tons of other results showed up in my Google search. After digging through that one site? I couldn’t handle anymore. I didn’t even look.

    People’s PERSONAL VACATION PHOTOS. This isn’t just about boudoir photographers, people.

    0
    • Allie

      Christine – I’ve had two of my clients report being harrassed with images I took of them in boudoir sessions and I checked through the 121 page thread and my galleries aren’t listed in any of them. How can I inspect the photos you’re talking about? My father is an attorney and I’m prepared to do anything necessary to go to bat for my clients. My email is [email protected]

      0
  8. Holly Gordon

    Here is the link to the site that posted the hacked boudoir urls:

    http://www.thevoyeurforum.com/forum.php

    0

Leave a reply

Advertisement