Perv raided college girls' online accounts for nude snaps – by cracking their security questions

Personal info obtained to pull off 1,400 password resets. Now he's behind bars

By Thomas Claburn in San Francisco

Posted in Security, 25th January 2018 21:12 GMT

Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday.

Arrested in November, 2016, Powell, a resident of Phoenix, Arizona, pleaded guilty last August in a New York court to accessing email accounts without authorization at two universities: Pace University in New York, and another unnamed university in Pennsylvania.

Powell's hacking consisted of abusing the universities' web-based password reset mechanism for student email accounts. According to prosecutors' court filings [PDF], staff at one of the universities realized someone was slamming the password reset functionality, and hired a computer forensics firm to investigate. That biz found the reset utility had been accessed from a device issued to Powell 18,640 different times between October 2015 and September 2016.

"During that time frame, those Reset Utility accesses resulted in approximately 18,600 attempted password changes in connection with approximately 2,054 unique [Pace] email accounts, and approximately 1,378 successful password changes in connection with approximately 1,035 unique [Pace] email accounts," explained FBI special agent Christopher Merriman in the complaint.

The university's account reset process at the time required answering two security questions from a list of questions presented to the person activating the account.

Court documents do not reveal how Powell managed to guess over a thousand security questions correctly. But a LinkedIn account for Jonathan C. Powell in Phoenix, Arizona, that matches educational details cited in court documents suggests a possible explanation: he appears to have worked as a financial recruiter for staffing firm Robert Half.

His work experience may have provided insight into how to find answers to common security questions.

High school

According to Merriman's account, the tablet Powell used for his scheme exhibited a pattern of "searching for biographical information about an individual victim" and then "leveraging that information to gain access to the individual victim's email accounts via password reset utilities – for example, questions about the individual's high school mascot and the names of the individual's grandparents."

The Register asked a Robert Half spokesperson for comment but we've not heard back.

In any event, having obtained access to students' university email accounts, he was then able to obtain access to online accounts for other services, including Apple iCloud, Facebook, Google, Linkedin, and Yahoo!, using the same technique.

Powell's interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice.

In a statement, Geoffrey S. Berman, the United States Attorney for the Southern District of New York, said: "No college student should have to fear that personal, private information could be mined by strangers for potentially compromising material."

According to the US Department of Justice, the probe revealed that Powell had compromised 15 email accounts at the unidentified Pennsylvania university. And in a statement made to investigators after his arrest, Powell is said to have admitted accessing email accounts without authorization at several other schools in Arizona, Florida, Ohio and Texas.

Merriman's statement in the complaint indicates that the device used by Powell "accessed student directories and login portals associated with more than 75 other colleges or universities located in various locations across the United States."

In addition to his six-month sentence, Powell faces two years of supervised release and restitution of $278,855. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

'Every little helps'... unless you want email: Tesco to kill free service

Maintained for 3 years since Brit supermarket quit the ISP game

HMRC dev support team cc blurtfest: Over 1,400 email addresses blabbed

Developers find out who else is testing HMRC's tools

Will the defendant please rise? Utah State Bar hunts for sender of topless email

Mormons miffed by mammary missive

You've got pr0n: Yes, smut by email is latest workaround for UK's looming cock block

Automated filth shows plan just grist to the privacy activists' mill

S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats

If a hacker can get into your inbox of ciphered messages, they may be able to read the content

Uni staffer's health info blabbed in email list snafu

University leaks personal data for 2nd time in 5 months

Get the message, PHBs: New York City mulls ban on after-hours biz email

File under: Yeah, good luck with that, nice job you used to have

Dude who claimed he invented email is told by judge: It's safe to say you didn't invent email

Libel lawsuit bounces

Which? leads decrepit email service behind barn, single shot rings out over valley

Users fuming... if only they had a consumer champion to turn to

Did ROPEMAKER just unravel email security? Nah, it's likely a feature

Exploit that changes content of messages after delivery found