Sign up to our newsletter
It turns out that the hacking of celebrity email accounts to scoop up their intimate photos and private conversations didn’t end with 2014’s notorious “Fappening” (perhaps more politely termed “CelebGate”).
Then, female celebrities including Jennifer Lawrence, Kirsten Dunst, Avril Lavigne, Kate Hudson, and Rihanna had their email accounts compromised and intimate pictures stolen. That would be bad enough, but the pictures were then shared widely across the internet without any consideration of how the innocent victims must have been feeling.
This week, a 24-year-old hacker named Alonzo Knowles was sentenced to five years in prison after being found guilty in a separate case involving the hacking of female celebrities’ online accounts. Knowles didn’t stop at stealing what he found in the hacked accounts. He attempted to sell the private emails, unpublished TV and movie scripts, and sexually explicit pictures and videos he stole from them.
The bad news for Knowles, and the good news for those female celebrities that he had targeted, was that the person he was trying to sell the stolen material to was an undercover law enforcement officer.
Bahamas-based Knowles met up with the undercover cop in New York in December 2015, claiming that he had “exclusive content” that was “really profitable” and worth “hundreds of thousands of dollars.” During their conversations, Knowles admitted that he obtained the material directly from the victims without their knowledge, and claimed to have access to material from up to 130 victims.
Using the pseudonym ‘Jeff Moxley’, Knowles went on to describe to the undercover agent that he used a mixture of password-grabbing malware and phishing attacks to steal login credentials from his unsuspecting victims:
During their meeting, Knowles described two methods he used to hack each victim’s email account. The easier method involved sending a virus to the victim’s computer that would enable Knowles to access it. The more difficult method involved Knowles sending a false hacking notification to the Victim and asking the Victim for his passcodes. Once Knowles had used the victim’s passcodes to successfully access the victim’s email account, Knowles, unbeknownst to the Victim, would change the settings in the victim’s email account in order to continue to access to the email account. In order to avoid detection from the Victim, Knowles would delete notifications from the email service provider regarding changes to the settings of the Victim’s email account.
One of Knowles’s victims was Naturi Naughton, a former singer who has carved out an acting career for herself in the Starz drama “Power.”
In a videoed victim impact statement, Naughton described how she had “never felt more violated and out of control in [her] entire life.”
Knowles, however, seems not to have had too much sympathy for what he put his victims through.
As the New York Times reported earlier this year, emails sent by Knowles while detained at a federal facility in Brooklyn revealed that he was feeling far from contrite:
In messages to several women, the government said, Mr. Knowles, 24, seemed to be fixated on gaining notoriety and becoming rich after leaving prison, writing casually that he planned to publish a book and disclose the secrets of the people whose accounts he hacked.
“When i get out im gon shake up hollywood for real!” Mr. Knowles wrote in one email.
In another, he bragged about his planned book.
“Im name dropping everyone involved and what i know,” he wrote, “and im including pictures of paperwork that aint public.”
US district Judge Paul A Engelmayer said that Knowles’ jail conversations resulted in his prison sentence being doubled, as it demonstrated that he was not showing any genuine remorse and continued to pose a threat to society.
There may not be much hope for reforming Knowles, but I hope we can change the behaviours of law-abiding computer users.
My hope is that any celebrities who had their privacy invade by this hacker has now learnt that they need to work harder to protect their online accounts. One valuable lesson that everyone needs to learn – whether in the public eye or not – is to enable multi-factor authentication or two-step verification where available, providing an additional layer of protection.
The typical hacker will find it considerably harder to break into your online accounts if you have two-step verification/authentication turned on, and in many cases will be likely to simply move on to a softer target and decide to leave you well alone.
Of course it should also, by now, go without saying that strong and unique passwords are a must, rather than easy-to-guess passwords or credentials reused between different services. Too many people are being simply too lax with their account security, and making crime too easy for malicious hackers.
Author Graham Cluley, We Live Security