Security

Perv raided college girls' online accounts for nude snaps – by cracking their security questions

Personal info obtained to pull off 1,400 password resets. Now he's behind bars

By Thomas Claburn in San Francisco

66 SHARE

Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday.

Arrested in November, 2016, Powell, a resident of Phoenix, Arizona, pleaded guilty last August in a New York court to accessing email accounts without authorization at two universities: Pace University in New York, and another unnamed university in Pennsylvania.

Powell's hacking consisted of abusing the universities' web-based password reset mechanism for student email accounts. According to prosecutors' court filings [PDF], staff at one of the universities realized someone was slamming the password reset functionality, and hired a computer forensics firm to investigate. That biz found the reset utility had been accessed from a device issued to Powell 18,640 different times between October 2015 and September 2016.

"During that time frame, those Reset Utility accesses resulted in approximately 18,600 attempted password changes in connection with approximately 2,054 unique [Pace] email accounts, and approximately 1,378 successful password changes in connection with approximately 1,035 unique [Pace] email accounts," explained FBI special agent Christopher Merriman in the complaint.

The university's account reset process at the time required answering two security questions from a list of questions presented to the person activating the account.

Court documents do not reveal how Powell managed to guess over a thousand security questions correctly. But a LinkedIn account for Jonathan C. Powell in Phoenix, Arizona, that matches educational details cited in court documents suggests a possible explanation: he appears to have worked as a financial recruiter for staffing firm Robert Half.

His work experience may have provided insight into how to find answers to common security questions.

High school

According to Merriman's account, the tablet Powell used for his scheme exhibited a pattern of "searching for biographical information about an individual victim" and then "leveraging that information to gain access to the individual victim's email accounts via password reset utilities – for example, questions about the individual's high school mascot and the names of the individual's grandparents."

The Register asked a Robert Half spokesperson for comment but we've not heard back.

In any event, having obtained access to students' university email accounts, he was then able to obtain access to online accounts for other services, including Apple iCloud, Facebook, Google, Linkedin, and Yahoo!, using the same technique.

Powell's interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice.

In a statement, Geoffrey S. Berman, the United States Attorney for the Southern District of New York, said: "No college student should have to fear that personal, private information could be mined by strangers for potentially compromising material."

According to the US Department of Justice, the probe revealed that Powell had compromised 15 email accounts at the unidentified Pennsylvania university. And in a statement made to investigators after his arrest, Powell is said to have admitted accessing email accounts without authorization at several other schools in Arizona, Florida, Ohio and Texas.

Merriman's statement in the complaint indicates that the device used by Powell "accessed student directories and login portals associated with more than 75 other colleges or universities located in various locations across the United States."

In addition to his six-month sentence, Powell faces two years of supervised release and restitution of $278,855. ®

Sign up to our NewsletterGet IT in your inbox daily

66 Comments

More from The Register

Welcome! Mimecast finds interesting door policies on email filters

Microsoft and Proofpoint servers ushered in 15,656 malware attachments

Footie fans calling for a red card over West Ham United CC email blunder

If you're after an away ticket, now you know who to call

US State Department confirms: Unclassified staff email boxes hacked

Pompeo's peeps get free credit monitoring after some inboxes cracked open, data swiped

Prank 'Give me a raise!' email nearly lands sysadmin with dismissal

Who, Me? Staffer learns hard way: boss jokes don't mix well with infosec demos

Baddies just need one email account with clout to unleash phishing hell

Outsiders realised uni was hacked before uni did

Sendgrid blurts out OWN customers' email addresses with no help from hackers

Along came some spiders and saw the unsubscribers...

TalkTalk ups the (dis)satisfaction ante as UK folk wake up to borked email

New approach to dealing with complaints working wonders

Brit watchdog fines child sex abuse inquiry £200k over mass email blunder

Breach identified potential victims taking part in probe

Email security crisis... What email security crisis?

Let them eat phish

Princely five years in US big house for Nigerian biz email scammer

Bloke copped to $25m spear-phishing shenanigans