A poorly-secured password reset utility allowed a man to access more than 1,000 email accounts at a New York City-area university in a hunt for sexually explicit photographs and videos.
A 30-year-old man has sentenced to six months in prison, after he was found guilty of accessing more than 1,000 email accounts at a New York City-area university in a hunt for sexually explicit photographs and videos of college-aged women.
Jonathan Powell, of Phoenix, Arizona, breached the unnamed university’s servers to gain access to a email password reset utility used by IT staff when students forgot their login credentials. Once Powell had gained access to compromised email accounts, he was able to request password resets on third-party sites, allowing him to log into victims’ various other online accounts including Apple iCloud, Facebook, Google, LinkedIn, and Yahoo.
“Jonathan Powell used his computer skills to breach the security of a university to gain access to their students’ personal accounts. Once Powell had access, he searched the accounts for compromising photos and videos,” said US Attorney Geoffrey S. Berman. “No college student should have to fear that personal, private information could be mined by strangers for potentially compromising material.”
According to a Department of Justice press release, the university’s logs revealed that Powell had accessed the password reset utility 18,640 different times between October 2015 and September 2016.
Powell succeed in making approximately 1,378 password changes associated with 1,035 unique email accounts. In some cases, Powell compromised the same email account on multiple occasions.
Investigations by law enforcement discovered that Powell had also compromised 15 email accounts at a second university in Pennsylvania, and after his arrest he told officers that he had also compromised email accounts in Arizona, Florida, Ohio, and Texas.
There are a few lessons to learn from this unpleasant case.
Firstly, IT teams which have tools to reset their users’ passwords need to ensure that they are properly secured from unauthorised users. Such tools are just as important to protect from hackers as sensitive data, because of the sheer amount of damage that can occur if they are misused.
Seeing as a number of universities across the United States are thought to have been compromised by Powell, it would seem sensible for other organisations (not just universities, and not just in the United States) to evaluate whether they are keeping powerful admin tools safely guarded.
Secondly, it’s clear that the hacker used his initial breach of students’ university email accounts to then launch attacks against external accounts – including popular webmail accounts and social media sites.
All of the sites mentioned in the Department of Justice’s press release (Apple iCloud, Facebook, Google, LinkedIn, and Yahoo) can have additional security features enabled on them, such as two-factor authentication. In some cases, it’s even possible to receive login notifications, or see where and when the last login to the account occurred – which could act as a warning that something fishy is going on.
In addition to being sentenced to six months in prison, Powell will also have to serve two years of supervised release, and has been ordered to pay $278,855 in restitution. From the sound of things, he won’t be hacking into any students’ accounts anytime soon.
But that’s not to say that others won’t try to use similar tricks to prey upon the innocent. Take your online security more seriously today, or pay the price tomorrow.