How did the National Enquirer obtain the richest man in the world’s sexts?
While the truth remains a closely guarded secret, plenty of theories have been floated. Gavin de Becker, the sagacious security consultant granted carte blanche to investigate the situation by Jeff Bezos, the ultra-billionaire founder of Amazon, alleged adulterer, and target of the Enquirer’s prurient exposé, supposedly believes his boss was not hacked. That’s what Manuel Roig-Franzia, a feature writer with the Washington Post, a publication Bezos owns, says de Becker told him anyway, adding that de Becker believes the leak may have been “politically motivated.” In a recent interview on MSNBC, Roig-Franzia added that de Becker, with whom Roig-Franzia says he has chatted extensively about Bezos’ predicament, is entertaining the possibility “that a government entity might have gotten hold” of Bezos’ text messages and then, somehow, these texts found their way into said tabloid.
Considering for a moment that this might be true, which regime might have done so? Michael Sanchez, an avid Trump supporter and brother of Lauren Sanchez, Bezos’ mistress, has apparently discussed with de Becker the possibility that the president, an avowed Bezos opponent, enlisted allied intelligence services, such as those run by the UK and Israel, to dig up the dirt. It’s a fantastical scenario that stretches the imagination beyond all elasticity. Bezos, on the other hand, seemed to intimate in an essay on the blogging site Medium that the intrusion could have involved another state actor. Specifically, Bezos dwelled on connections between American Media Inc., the Enquirer’s parent, and Saudi Arabia. (The recent murder of Washington Post columnist Jamal Khashoggi by Saudi agents, and the kingdom’s reported penchant for mobile spyware, lend plausibility.)
To be clear: I have no privileged information about the entity behind this whodunnit caper; I will note, however, a worthwhile contribution toward the howdunnit. In all the speculation, a blog post by Rob Graham, CEO of Errata Security, a hacking shop, stood out. Using a cheap, online “people finder” service, he was able to discover possible contact information for Bezos’ ladylove, including email addresses, phone numbers, and the names of close relatives. Entering Sanchez’s email addresses into a database of compromised login credentials—the recent mega-leak dubbed “Collection #1”—turned up associated passwords. If Sanchez reused compromised passwords to secure Bezos’ love notes, this might explain the dallying duo’s undoing. If that’s true, then the methods behind this intrusion might not have involved super-sophisticated spy-craft so much as teenage hacker hi-jinx.
Again, I have no idea how these leaks were procured, or who did it, but Graham’s findings suggest at least one possible, simple explanation. If the security of both parties to a conversation is not up to snuff, everyone suffers. “If you send sexy messages and you are a celebrity, there are large parts of the hacker underground who specialize in trying to steal them,” Graham notes—a statement that is not an endorsement, but a reality. Through password reuse and phishing attacks, “getting celebrity nude pics is fairly simple.” He adds: “there is no reason to consider conspiracy theories at this time.”
People interested in protecting their own privacy might consider the following advice: Segment your information by using multiple email accounts dissociated from your real-life identity. Secure your digital accounts with strong and unique passwords—and use a tool like HaveIBeenPwned to make sure none of these has been compromised. Adopt two-factor authentication as an added layer of protection. And finally, instruct confidantes in the merits and methods of proper digital security. (Heck, you might even recommend they sign up for this newsletter.)
If a nation state goes after you, it’s likely game over. But there are steps you can take to make it harder for run-of-the-mill hackers to get their hands on your goodies.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.