Celebgate Hacker Charged Over Stealing Private Data – Reveals How He Did It
In September 2014, the FBI launched an investigation after private photos of a number of celebrities were leaked online as a result of their iCloud accounts being hacked. Popularly known as the Celebgate scandal or the Fappening, the target was mostly the female celebrities. Some of the Hollywood's biggest stars were hit by this hack, including the likes of Jennifer Lawrence, Kate Upton and Kim Kardashian.
A year and a half later, the US Department of Justice (DoJ) has charged a Pennsylvania man with the Computer Fraud and Abuse Act, facing up to 5 years in prison. Ryan Collins managed to access over 50 iCloud and 72 Gmail accounts in a phishing scheme that he ran from November 2012 until September 2014, giving him usernames and passwords for his victims. Collins is pleading guilty to a felony violation of the Computer Act to one count of gaining unauthorized access to a protected computer to obtain information, the U.S. Attorney's Office said.
Who is Ryan Collins and how the celebgate happened
A graduate in integrated science and technology, the 36-year old Collins started working as a creative project manager for a digital marketing firm. While several local news channels and publications have tried to contact Collins' neighbors, friends or just about anyone else who can claim to know the "man of the hour," people in tech are more interested in knowing how this "average joe" pulled off one of the largest celebrity scandals in modern history.
Unlike what was previously believed, the celebgate didn't involve Apple's iCloud services being compromised as social engineering tactics were involved. At the time of the leak, Apple had said that its iCloud system was not breached and that the attack targeted usernames and passwords. As mentioned before, from November 2012 and September 2014 Collins contacted several celebrity targets with fake emails to get their usernames and passwords. Using phishing attacks, he disguised his emails as official notifications from Apple and Google, making his targets fall for the trap unwittingly.
When the unsuspecting victims responded to his phishing emails, Collins illegally accessed the victims’ e-mail accounts. Collins has also said that he used iBrute, a specialized brute force program to illegally download entire contents and personal information from his victims' iCloud backups. Using phishing attacks and iBrute, he managed to hijack over 100 celebrities' accounts which led to their nude photos, videos and private data being leaked online.
Ryan Collins has admitted to only hacking celebrities' accounts, but not to uploading them online. There is no evidence that could link him to the actual leaks, however, he could still face a statutory maximum sentence of five years in federal prison and fines of up to $250,000.
By illegally accessing intimate details of his victims' personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity. We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information.” David Bowdich, the Assistant Director in Charge of the FBI LA Field Office
The prosecution will recommend the judge an 18-month prison sentence, although it will not be binding on the sentencing judge.