story by Mike Allebach
Today an anonymous tipper let several boudoir photographers know their website was being hacked. A forum discovered today contained 121 pages of passwords and links to boudoir galleries. The members on this forum have cracked and hacked into hundreds of galleries hosted on Smugmug and Zenfolio.
The scariest part is some of these hackers are using this tactic to extort money from your clients! Some of them are doing it for other reasons
“This is a great thread! Thanks to everyone for all the work that goes into getting these passwords! I do have to say, I love the ones where they are wearing wedding rings. You know those are most likely being done for the husband, and we were certainly never supposed to see them!!!” – Forum Comment
It’s your worst nightmare and you didn’t even know it was happening. Currently it looks like the attacks are purely dictionary and common word style. This means that the hackers are throwing common words and names at the password fields and getting in…they aren’t using backdoors or other methods of hacking.
For your sake and your client’s sake, I will only post screen shots (no links).
Here is how it works. A person on the pervert forum posts a gallery link and then the password crackers on the gallery take a shot at it. The first one who gets in posts the password (and wins). Then they discuss the photos. Catching the drift?
Stop whatever you had planned to do tonight and ask yourself these questions.
How hard is it to guess my passwords? Could it be cracked by bot? By a human?
Here are 5 Ways to Secure Your Photo Galleries Now
1. Meet in person only. In person sales are the most profitable anyway. Photos never go online and everyone is safe. (We talked to the Salesographer last week about how in home sales can net you $2,000 more per session.)
2. Never use names for passwords. The most common way passwords are being cracked is with this method. The name matches the client’s first or last name.
“I usually pick a silly reference to use that only the client and I will understand. Something that happened the day of the shoot or something personal to her. The funny part is it protects their gallery and it makes them laugh. I get so many emails back from clients saying “loved the password” or “I can’t believe you remembered that”. I also never leave hints on the password page of my zenfolio site.” – Jen Rozenbaum of Jenerations
3. Don’t use password hints for boudoir galleries. Ever.
4. Use a string of words. Read this Lifehacker article on how they are more secure than gibberish and easier to remember.
5. Password protect your backup programs as well. These password crackers and hackers are attempting to log into photographers Dropbox accounts, Backup Software, you name it…they are trying to get in. It’s a game for them.
I’m reaching out to Zenfolio & Smugmug for additional tips on securing your site and will report back with their biggest tips.
Smugmug Shared these tips > http://news.smugmug.com/2014/02/07/how-to-avoid-leaking-sensitive-photos/
Mike Allebach: Founded Brandsmash as a marketing resource for small business owners with his mantra “Your story changes everything.” Communications & Marketing Director turned Business owner he hosts BrandsmashTV. Hailed by a Rock n Roll Bride as “the Original Tattooed Bride Photographer” Mike Allebach crafted one of the most distinct niches in photography. Mike’s Brandsmash Stories & Wedding Photos have been featured in over 100 blogs, newspapers & magazines.
In 2014 he started BrandsmashTV and Brandsmash Workshops to teach small business owners social media, storytelling, branding & marketing. See him teach in person at Inspire Photo Retreats in Massachusetts, February 12 or at the WPPI Expo in Las Vegas on March 6.