Six Months in Jail for University Email Hacker
27.1.2018 securityweek Crime
A man who accessed over 1,000 email accounts maintained by a New York City-area university to download inappropriate photos and videos was sentenced to 6 months in prison this week.
The man, Jonathan Powell, 30, of Phoenix, Arizona, pled guilty to the charges on August 9, 2017, in Manhattan federal court before United States District Judge Alison J. Nathan, who also imposed the sentence.
According to the allegation he pled guilty to, Powell gained unauthorized access to the email accounts by accessing the password reset utility maintained by the email servers of a United States University that has its primary campus in New York, New York. The tool was meant for authorized users to reset their forgotten passwords.
Powell abused the utility between October 2015 and September 2016 to change the email account passwords of students and others affiliated with the University and to gain access to more than 1,000 accounts.
Once inside the email accounts, he obtained unauthorized access to other password-protected email, social media, and online accounts to which the users of the compromised accounts were registered. These include Apple iCloud, Facebook, Google, LinkedIn, and Yahoo! accounts.
Powell requested password resets for the linked accounts and changed those passwords as well, after a password reset email was sent to the compromised email accounts. Then, he logged into the linked accounts and started looking for private and confidential content.
The investigation into Powell’s nefarious activities revealed that he accessed all of the compromised accounts to download sexually explicit photographs and videos of college-aged women.
Between October 2015 and September 2016, Powell accessed the password reset utility approximately 18,640 different times and attempted around 18,600 password changes for an estimated number of 2,054 unique University email accounts. He succeeded in changing approximately 1,378 passwords for 1,035 email accounts, as he compromised some of the accounts multiple times.
Powell was also found to have compromised 15 email accounts hosted by a University in Pennsylvania. He also admitted to compromising email accounts at several other educational institutions in Arizona, Florida, Ohio, and Texas.
Power was also sentenced to two years of supervised release and ordered to pay $278,855 in restitution.
“Jonathan Powell used his computer skills to breach the security of a university to gain access to the students’ personal accounts. Once Powell had access, he searched the accounts for compromising photos and videos. No college student should have to fear that personal, private information could be mined by strangers for potentially compromising material,” Geoffrey S. Berman, the United States Attorney for the Southern District of New York, commented.