Security

Perv raided college girls' online accounts for nude snaps – by cracking their security questions

Personal info obtained to pull off 1,400 password resets. Now he's behind bars

By Thomas Claburn in San Francisco

66 SHARE

Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday.

Arrested in November, 2016, Powell, a resident of Phoenix, Arizona, pleaded guilty last August in a New York court to accessing email accounts without authorization at two universities: Pace University in New York, and another unnamed university in Pennsylvania.

Powell's hacking consisted of abusing the universities' web-based password reset mechanism for student email accounts. According to prosecutors' court filings [PDF], staff at one of the universities realized someone was slamming the password reset functionality, and hired a computer forensics firm to investigate. That biz found the reset utility had been accessed from a device issued to Powell 18,640 different times between October 2015 and September 2016.

"During that time frame, those Reset Utility accesses resulted in approximately 18,600 attempted password changes in connection with approximately 2,054 unique [Pace] email accounts, and approximately 1,378 successful password changes in connection with approximately 1,035 unique [Pace] email accounts," explained FBI special agent Christopher Merriman in the complaint.

The university's account reset process at the time required answering two security questions from a list of questions presented to the person activating the account.

Court documents do not reveal how Powell managed to guess over a thousand security questions correctly. But a LinkedIn account for Jonathan C. Powell in Phoenix, Arizona, that matches educational details cited in court documents suggests a possible explanation: he appears to have worked as a financial recruiter for staffing firm Robert Half.

His work experience may have provided insight into how to find answers to common security questions.

High school

According to Merriman's account, the tablet Powell used for his scheme exhibited a pattern of "searching for biographical information about an individual victim" and then "leveraging that information to gain access to the individual victim's email accounts via password reset utilities – for example, questions about the individual's high school mascot and the names of the individual's grandparents."

The Register asked a Robert Half spokesperson for comment but we've not heard back.

In any event, having obtained access to students' university email accounts, he was then able to obtain access to online accounts for other services, including Apple iCloud, Facebook, Google, Linkedin, and Yahoo!, using the same technique.

Powell's interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice.

In a statement, Geoffrey S. Berman, the United States Attorney for the Southern District of New York, said: "No college student should have to fear that personal, private information could be mined by strangers for potentially compromising material."

According to the US Department of Justice, the probe revealed that Powell had compromised 15 email accounts at the unidentified Pennsylvania university. And in a statement made to investigators after his arrest, Powell is said to have admitted accessing email accounts without authorization at several other schools in Arizona, Florida, Ohio and Texas.

Merriman's statement in the complaint indicates that the device used by Powell "accessed student directories and login portals associated with more than 75 other colleges or universities located in various locations across the United States."

In addition to his six-month sentence, Powell faces two years of supervised release and restitution of $278,855. ®

Sign up to our NewsletterGet IT in your inbox daily

66 Comments

More from The Register

TalkTalk ups the (dis)satisfaction ante as UK folk wake up to borked email

New approach to dealing with complaints working wonders

Brit watchdog fines child sex abuse inquiry £200k over mass email blunder

Breach identified potential victims taking part in probe

'Every little helps'... unless you want email: Tesco to kill free service

Maintained for 3 years since Brit supermarket quit the ISP game

Putting the ass in Atlassian: Helpdesk email server passwords blabbed to strangers

Exclusive Logins misdirected to wrong boxes by Jira toolkit

HMRC dev support team cc blurtfest: Over 1,400 email addresses blabbed

Developers find out who else is testing HMRC's tools

Boffin botheration as IET lifts axe on 20-year-old email alias service

IET phone home. Just don't email...

Finally: Historic Eudora email code goes open source

'Member that innocent, pre-Zuckerberg time?

Priceless: The cost to BT for bothering you with spam? 1.5 UK pence per email

Incumbent telco fined £77k for sending 5 million of the things

Law forcing Feds to get warrants for email slurping is sneaked into US military budget

House slips privacy rules into Senate's files, crosses fingers

Former FBI boss Comey used private email for official business – DoJ

'I did not have an unclassified FBI connection at home that worked'