Perv raided college girls' online accounts for nude snaps – by cracking their security questions

Personal info obtained to pull off 1,400 password resets. Now he's behind bars

By Thomas Claburn in San Francisco

Posted in Security, 25th January 2018 21:12 GMT

Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday.

Arrested in November, 2016, Powell, a resident of Phoenix, Arizona, pleaded guilty last August in a New York court to accessing email accounts without authorization at two universities: Pace University in New York, and another unnamed university in Pennsylvania.

Powell's hacking consisted of abusing the universities' web-based password reset mechanism for student email accounts. According to prosecutors' court filings [PDF], staff at one of the universities realized someone was slamming the password reset functionality, and hired a computer forensics firm to investigate. That biz found the reset utility had been accessed from a device issued to Powell 18,640 different times between October 2015 and September 2016.

"During that time frame, those Reset Utility accesses resulted in approximately 18,600 attempted password changes in connection with approximately 2,054 unique [Pace] email accounts, and approximately 1,378 successful password changes in connection with approximately 1,035 unique [Pace] email accounts," explained FBI special agent Christopher Merriman in the complaint.

The university's account reset process at the time required answering two security questions from a list of questions presented to the person activating the account.

Court documents do not reveal how Powell managed to guess over a thousand security questions correctly. But a LinkedIn account for Jonathan C. Powell in Phoenix, Arizona, that matches educational details cited in court documents suggests a possible explanation: he appears to have worked as a financial recruiter for staffing firm Robert Half.

His work experience may have provided insight into how to find answers to common security questions.

High school

According to Merriman's account, the tablet Powell used for his scheme exhibited a pattern of "searching for biographical information about an individual victim" and then "leveraging that information to gain access to the individual victim's email accounts via password reset utilities – for example, questions about the individual's high school mascot and the names of the individual's grandparents."

The Register asked a Robert Half spokesperson for comment but we've not heard back.

In any event, having obtained access to students' university email accounts, he was then able to obtain access to online accounts for other services, including Apple iCloud, Facebook, Google, Linkedin, and Yahoo!, using the same technique.

Powell's interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice.

In a statement, Geoffrey S. Berman, the United States Attorney for the Southern District of New York, said: "No college student should have to fear that personal, private information could be mined by strangers for potentially compromising material."

According to the US Department of Justice, the probe revealed that Powell had compromised 15 email accounts at the unidentified Pennsylvania university. And in a statement made to investigators after his arrest, Powell is said to have admitted accessing email accounts without authorization at several other schools in Arizona, Florida, Ohio and Texas.

Merriman's statement in the complaint indicates that the device used by Powell "accessed student directories and login portals associated with more than 75 other colleges or universities located in various locations across the United States."

In addition to his six-month sentence, Powell faces two years of supervised release and restitution of $278,855. ®

Sign up to our NewsletterGet IT in your inbox daily

66 Comments

More from The Register

HMRC dev support team cc blurtfest: Over 1,400 email addresses blabbed

Developers find out who else is testing HMRC's tools

Uni staffer's health info blabbed in email list snafu

University leaks personal data for 2nd time in 5 months

Dude who claimed he invented email is told by judge: It's safe to say you didn't invent email

Libel lawsuit bounces

Who can save us? It's 2018 and some email is still sent as cleartext

Out of the phone booth comes the IETF in lycra - with the power of STANDARDS!

Did ROPEMAKER just unravel email security? Nah, it's likely a feature

Exploit that changes content of messages after delivery found

Brit intel fingers Iran for brute-force attacks on UK.gov email accounts

Russia, you're off the hook

Yahooooo! says! its! email! is! scrahoooo-ed!

Services down and out for seven hours and counting

Arcserve gobbles up email biz to sate hunger for message archiving

We're trying our best here, OK?

Mailsploit: It's 2017, and you can spoof the 'from' in email to fool filters

Message client vendors have had 25 years to get RFC 1342 right

Edinburgh Uni email snafu tells students they won't be graduating

Er, sorry, ignore that, say red-faced admins