Security Experts:

"Celebgate" Attacker Charged Over iCloud Photo Hacks

A Pennsylvania man was charged on Tuesday for accessing the Apple and Google email accounts of over 100 people, including several celebrities.

The man, 36-year-old Ryan Collins of Lancaster, Pennsylvania, was charged with felony computer hacking related to a phishing scheme that provided him with illegal access to said accounts. He managed to access at least 50 iCloud accounts and 72 Gmail accounts, most of which belonged to female celebrities.

Collins signed a plea agreement to plead guilty to a felony violation of the Computer Fraud and Abuse Act, the announcement from the Department of Justice (DoJ) reads. According to the plea agreement filed on Tuesday, Collins agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information.

The man admitted to have engaged in the phishing scheme from November 2012 until the beginning of September 2014, which allowed him to obtain usernames and passwords for his victims. 

When the unsuspecting victims responded to his phishing emails, Collins was able to illegally access the victims’ e-mail accounts and to obtain personal information from them. He managed to grab nude photographs and videos, and even used software that allowed him to download the entire contents of the victims’ Apple iCloud backups, the plea agreement reveals.

In September 2014, the FBI launched an investigation after numerous iCloud accounts of celebrities were hacked and photographs of numerous female celebrities leaked online, and the charge against Collins stems from that investigation.

Apple at the time revealed that its iCloud system was not breached and said that the attack targeted user names, passwords and security questions. A few days later, the consumer tech giant also announced that it would  ramp up the security of the iCloud service.

However, it appears that there was no evidence that Collins was linked to the actual leaks, nor that he uploaded the information he obtained.

The DoJ also announced that, although the man was charged in Los Angeles, the case will be transferred to Harrisburg in the Middle District of Pennsylvania, near Collins’ home, for the entry of his guilty plea and sentencing.

Collins faces a statutory maximum sentence of five years in federal prison, but the parties have agreed to recommend a prison term of 18 months, although the recommendation will not be binding on the sentencing judge.

“By illegally accessing intimate details of his victims' personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity. We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information,” David Bowdich, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, said.

In December 2015, 23-year-old Alonzo Knowles, aka “Jeff Moxey,” was charged for using malware and phishing to gain access to the email accounts of celebrities. Last month, Andrew Helton, 29, of Portland, pleaded guilty to a felony computer hacking charge and admitted to hacking the Apple and Gmail accounts of 363 people, including several celebrities.

The criminal complaint filing can be read here

view counter