- Some private photos on Photobucket were improperly accessed and shared
- Hackers using a practice known as "fusking" to gain access to images
- Photobucket to start using scrambled URLs to combat fusking
- "Social media sites just can't keep up" with hackers, social media attorney says
What happens on social media doesn't always stay on social media.
That may be the unfortunate lesson for those who've recently had private photos accessed and shared due to a privacy gap on the photo-sharing website Photobucket.
Nude, explicit, and R-rated images uploaded on the social media site were in some cases made available to view on public Web forums dedicated to exploiting Photobucket's privacy settings. The breach was first reported last week by BuzzFeed.
The breach of privacy "is a very rare occurrence that has affected only a small number of Photobucket's users," said Photobucket spokesman David Toner.
But the forums, some filled with stolen racy pictures and others with instructions on how to access more, have drawn thousands of viewers.
While users who post unencrypted photos on Photobucket can make their albums password protected, individual photos, even in a private album, can be shared with others through a direct web link or URL.
Hackers versed in Photobucket's privacy settings can access unencrypted pictures in password-protected albums by using software that deduces the direct web link, a practice commonly known as "fusking."
With a Photobucket username and a list of common titles for photos, fusking software can extract images from private albums by finding patterns in the posted pictures.
For instance, if an album has an image titled IMG_03, hackers may deduce that there is an IMG_06 and IMG_07. They can then access the images by guessing the direct link, even if the photos are in a password protected album.
Photobucket says it's aware of fusking and has made efforts to limit the number of accounts hacked.
"Scrambled URLs have been an option for the past two years and will be the default for all new uploads," Toner said. "The company is in the process of reminding users about the option to scramble URLs to prevent fusking."
The scrambled URLs make it more difficult for hackers to guess sequences of images and find those meant to be kept secret. But if users have not applied the encryption, photos may remain vulnerable.
"There are additional technical flags and safeguards in place when we suspect that fusking is being attempted; however, we have also taken several actions that will plug any existing holes that allow this activity," Toner added.
"Privacy settings on social media sites just can't keep up with how fast technology is adapting," said Ethan Wall, a social media attorney in Miami. "As sites get more private, hackers and people who want to get more information will continue to get more sophisticated."
The responsibility, however, ultimately rests with the user.
"What you say and do on social media can be used against you and it can be found," Wall added. "If you don't want someone else to see it, don't post it."