There’s a follow-up to a case I previously noted on this site in November, 2016. Graham Cluley reports:
A 30-year-old man has sentenced to six months in prison, after he was found guilty of accessing more than 1,000 email accounts at a New York City-area university in a hunt for sexually explicit photographs and videos of college-aged women.
Jonathan Powell, of Phoenix, Arizona, breached the unnamed university’s servers to gain access to a email password reset utility used by IT staff when students forgot their login credentials. Once Powell had gain accessed to compromised email accounts he was able to request password resets on third-party sites, allowing him to log into victims’ various other online accounts including Apple iCloud, Facebook, Google, LinkedIn, and Yahoo.
Read more on WeLiveSecurity.
Related: Press Release from U.S. Attorney’s Office, Southern District of New York:
Geoffrey S. Berman, the United States Attorney for the Southern District of New York, announced that JONATHAN POWELL was sentenced yesterday to six months in prison for computer fraud in connection with his scheme to obtain unauthorized access to more than 1,000 email accounts maintained by a New York City-area university in order to download sexually explicit photos and videos. POWELL previously pled guilty to the charge on August 9, 2017, in Manhattan federal court before United States District Judge Alison J. Nathan, who also imposed POWELL’s sentence.
U.S. Attorney Geoffrey S. Berman said: “Jonathan Powell used his computer skills to breach the security of a university to gain access to their students’ personal accounts. Once Powell had access, he searched the accounts for compromising photos and videos. No college student should have to fear that personal, private information could be mined by strangers for potentially compromising material.”
According to the allegations in the Information to which POWELL pled guilty, a criminal complaint filed against POWELL and other filings made in the case, and statements made during the plea and other proceedings in the case:
From October 2015 up to September 2016, POWELL obtained unauthorized access to email accounts hosted by a U.S.-based university, which has its primary campus in New York, New York (“University-1”). POWELL obtained unauthorized access to these accounts by accessing the password reset utility maintained by the email servers at Univeristy-1, which was designed to allow authorized users to reset forgotten passwords to accounts. POWELL utilized the password reset utility to change the email account passwords of students and others affiliated with University-1. Once POWELL gained access to the compromised email accounts (the “Compromised Accounts”), he obtained unauthorized access to other password-protected email, social media, and online accounts to which the Compromised Accounts were registered, including, but not limited to, Apple iCloud, Facebook, Google, LinkedIn, and Yahoo! accounts.
Specifically, using the Compromised Accounts, POWELL requested password resets for linked accounts hosted by those websites (the “Linked Accounts”), resulting in password reset emails being sent to the Compromised Accounts, which allowed POWELL to change the passwords for the Linked Accounts. POWELL then logged into the Linked Accounts and searched within the Linked Accounts, gaining access to private and confidential content stored in the Linked Accounts. In one instance, POWELL searched a University-1 student’s linked Gmail account for digital photographs and for various lewd terms. The Government’s investigation ultimately revealed that POWELL accessed the Compromised and Linked Accounts in order to download sexually explicit photographs and videos of college-aged women.
An analysis of University-1 password reset utility logs and other data revealed that POWELL accessed the University-1 password reset utility approximately 18,640 different times between October 2015 and September 2016. During that time, POWELL attempted approximately 18,600 password changes in connection with approximately 2,054 unique University-1 email accounts, and succeeded in making approximately 1,378 password changes in connection with approximately 1,035 unique University-1 email accounts, in some cases compromising the same email account multiple times.
Additional investigation revealed that POWELL had also compromised 15 email accounts hosted by a second university located in Pennsylvania. In a post-arrest statement made to investigating agents, POWELL additionally admitted to compromising email accounts at several other educational institutions located in Arizona, Florida, Ohio, and Texas.
* * *
In addition to the prison term, POWELL, 30, Phoenix, Arizona, was sentenced to two years of supervised release and ordered to pay $278,855 in restitution.
Mr. Berman praised the investigative work of the Federal Bureau of Investigation.
The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit. Assistant United States Attorney Christopher J. DiMase is in charge of the prosecution.