How To Avoid Leaking Sensitive Photos

Stories are breaking on sites like Fstoppers and Brandsmash about private Boudoir photos that appeared on a creepy voyeur forum.  It’s hard to imagine a more humiliating nightmare for a photographer or their clients.

Photo Used With Permission From Je Revele Photography 

Photos came from several sites, including SmugMug, and we paid extreme attention over the last two days to how it happened.  We tried to take some comfort in observing that in every instance, it came down to passwords that were guessable in just a few tries.

The question for us was what could we do that we weren’t already?  Over the past year, we’ve done considerable work around this problem, but yesterday we decided to expose some of the alerts our systems generate to our customers.

When our systems see several password attempts on a gallery or folder, they now send an email to the owner of the SmugMug site.  It identifies the gallery, gives the first few digits of each password attempt with asterisks for the rest (bou***), and adds info like time of day and geographic location the request may be coming from.

Today our Support Heroes are receiving thank-yous from people whose family members couldn’t get in because they left the caps lock key on or forgot some aspect of the password “it’s a cap O (oh), not a 0 (zero)”.

And we read two help tickets from photographers who discovered that their boudoir galleries had password guessers.  Fortunately, they had long passwords that were too hard to guess, but they are still making changes like removing the word Boudoir from the title, and making the gallery Unlisted so only people who obtain the link can know of its existence.

One of the security upgrades that came with New SmugMug is we don’t store passwords in a form that could leak in any way, including a systems breach, a bug, or a disgruntled employee. We use an industrial grade, Cryptographic hash function.

The breaking stories are about Boudoir photos, but we host incredibly sensitive photos (all cloud services do) of unannounced products and even, we remember, photos of an upcoming TIME Person of the Year.

Best Practices:

1.  Set a good gallery password before uploading photos!

2.  Set galleries and folders to Unlisted.  Unlisted means means no one can see them unless they have somehow been given a link.  They cannot guess the link because it has a random string added to its URL.  The combination of strong password + Unlisted is extremely secure.

You can learn more about how to protect your SmugMug galleries here.

We hope this helps, and thanks for being part of the SmugMug family!

Chris & Don MacAskill


Published by


SmugMug brings you beautiful, personalized online galleries. We love photography and believe that taking pictures makes life better. We're here to help make it fun, enjoyable, and easy for all.

19 thoughts on “How To Avoid Leaking Sensitive Photos”

  1. Thanks for this blog. I have had a Smugmug account (for many years) and recently ( < 1 year ago ?) downloaded your Smug app on my Ipad. When I click on the app, it shows me, Graham Waiting, as a user. That makes me smile): However it also shows a user " mrterrabyte " on my screen. I never worried about this unknown conflict until receiving your blog and because I do not host images that may be sensitive, I ignored. But given this situation, do I need to do something?

    graham waiting

    1. Hi Graham and thanks for being with us! The additional user showing up in your app shouldn’t be an issue. That usually indicates that someone visited their SmugMug site, like another family member who was using your iPad. If you’ve recently updated the app to the new version, you should see a little paper and pen icon in the top right corner. Clicking that will allow you to delete any unwanted users from the app’s home screen.

      Of course if you still have any concerns, our Support Heroes are happy to help:

  2. Maybe you could have two tier authentication. For several of my accounts, if I log in from a different IP than I used to open the account, I get a text msg on my phone or an email with a one time key to verify it’s me. You can also force users to create more complex passwords. Don’t know if those options are readily available or affordable, but it would certainly reduce the worry. Besides boudoir, many people are getting just as sensitive about photos of their young children. For example I keep Pinterest boards for poses by age group for easy reference, and all my “tween” pins were harvested to two different anonymous boards of provocative images. I’ve had to make my pose boards private.

    1. Hi David – Yes, we definitely know that privacy is essential to so many more than boudoir photographers and we hear regularly from families like you looking to keep their photos protected. Thanks for the two-tier authentication suggestion!

  3. I am very glad you have added alerting to the users on password attacks.

    Do you consider this to be a solution thou? There are number of additional steps you are in a position to be able to take in addition to this that you are not.

    This recent password guessing attack has exposed thousands of photo albums to thousands of unauthorized visitors for what is documented over 2 years. Not to mention the noted security issues with the way private option only stopped an album from showing on a homepage for over last 6 years.

    Long story short, you should be adding monitoring of user “behaviors”

    On side note “We use an industrial grade, Cryptographic hash function.”, are you aware so did all of the other companies that are responsible for some of the largest data breaches in history?

    Anyways, I applaud you on a good step forward. I just pray you don’t consider this closure.

    1. Hi MrFluffy,

      That blog post was was from 2008 and a few days later we added the random string on the end of URLs they were advocating. It was one of those things that increased privacy but hurt the user experience by making more complex URLs, but for better or worse it was done 6 years ago.

      When you say all of the largest data breaches used a hash function, it’s my understanding that they actually used encryption, which is two-way, and not a one-way hash like we’re using.

      For example, this analysis of the Adobe data breach:

      The key quote is, “Bear in mind that salted hashes – the recommended programmatic approach here – wouldn’t have yielded up any such information – and you appreciate the magnitude of Adobe’s blunder.”

      I hope this helps,

      1. Agreed, there is a difference between encryption, hashed(unsalted), and salted hashes but that is only relevant if and when the storage of the primary authentication system is attacked. This is not the case here – rather your users are the targets and I envision you as have the resources and ability to raise the bar for your users if you felt it was needed, desired, or market competition demanded better security.

        You deserve recognition for adding alerts, so I don’t want to steal your thunder, but there is much more that could be done.

        Shouldn’t we look at what is happening and say good is not good enough! We are talking thousands of photographers and their clients being exposed, and who knows what the future damages will be for all the sensitive images that were downloaded.

        You could add behavior logic to the mix and cool-down periods for suspect albums so the users have time to react.

        If one person opens many albums successfully from a large numbers of different photographers that should draw attention. (grant it is possible bunch of photographers are reviewing each others work but it certainly would not bother me to get an alert on it, or temporary block the album or account homepage till click link sent to me)

        also attention could be placed on the regions an album is being accessed from – maybe the user travels, has family in different states, or maybe their lover is overseas on duty but if an album is accessed from several different regions over short period of time there is strong chance to identify compromised albums where the users info has been posted somewhere.

        I’m just saying there is a lot more that could and should be done in this area…

        Raise the bar!

        ************** ************** ************** **************

        (off topic) That is good article on the Adobe breach. However it doesn’t state that Adobe DID in fact use Hashing on their main server and that it was the encryption of the backup system that was compromised. – Honestly thou, the type of hash/encryption is more relevant than the differences between the two. But I digress… Lets focus on user security and not the differences between a square and a rectangle.

  4. I agree with what you have said. People have been downloading my images, but I thought I had my setting were not set properly. Perhaps it is a password issue. I do not want people downloading without paying for the pictures as I work really hard taking and editing the pictures.

    Thank You,

  5. > that is only relevant if and when the storage of the primary authentication system is attacked. This is not the case here

    Hi MrFluffy,

    Are you sure about that? 🙂

    Thanks for the constructive feedback and suggestions. We keep tightening security because it’s a constantly changing landscape, but we feel bad about how it infringes upon the user experience. For example, our one-way hashes mean even the pros who created the passwords can’t recover them when they forget one, and neither can our heroes. We hear complaints about that every day, and the answer that it’s a security thing doesn’t satisfy because both our customers and heroes take that to mean we don’t trust them.

    So it feels good when we run across someone like you who understands why we did it the way we did.

    All the best,

    1. Hi Georg, the issues that were going on here weren’t automated attacks, but repeated attempts by real humans to gain access to locked galleries. So while we love the idea of a delay on multiple password attempts, we implemented the email notification system instead. This way if you’re pretty sure that it’s not your client trying to get in, you can change the password to something more secure.

  6. I think you should force users to create a stronger password. You allow the word “password.” Most sites force one capital, one lower case, and one number.

    1. I use weak passwords for some of my galleries because my goal is only to stop automated systems from entering them. Forcing strong passwords wouldn’t be useful for this purpose, but perhaps some meter that shows the strength of the password would be.

  7. SmugMug :
    Hi Georg, the issues that were going on here weren’t automated attacks, but repeated attempts by real humans to gain access to locked galleries. […]

    Thanks for your response!

    I have understood that. But what if these real humans use brute-force-software to break some not so simple or not so guessable passwords? It’s allways real humans (and not Skynet) who try to do things — with or without hackingtools.
    And by the way, gives 787.000 hits who more or less all seem to express the same — a delay of a few seconds is a simple and effective measure.
    I’m just sayin’!🙂

Comments are closed.