Ryan Collins, the man behind a long list of hacks into celebrity iCloud and Gmail accounts, has been charged in U.S. Federal Court with violating the Computer Fraud and Abuse Act, and agreed to a deal where he plead guilty to a single felony for unauthorized access to a computer. He wasn't charged with more because there isn't any evidence linking him to the mass dumping of nude photos on the Internet.
FBI arrests man behind iCloud celebrity nude photo hack
Mr. Collins accessed the accounts between late 2012 and mid 2014 by using email phishing scams to trick people into giving up their iCloud and Gmail login credentials. Contrary to early speculation, he didn't exploit security weaknesses in the cloud-based services.
Once Mr. Collins had access to victim's accounts, he downloaded nude photos and in some cases he nabbed full iCloud backups, too.
In September 2014, bucketloads of nude photos from celebrities such as Jennifer Lawrence, Kate Upton, Elizabeth Winstead, and more were uploaded to 4chan in what became known as The Fappening. Apple quickly launched an investigation and determined the accounts were accessed through compromised passwords and not iCloud security flaws, just as Mr. Collins has now confirmed.
Despite the fact he was collecting nude photos from celebrity personal accounts, Mr. Collins doesn't seem to have been involved in posting the images online. The FBI is still investigating that part of the case, but hasn't arrested anyone yet.
Mr. Collins was arrested in Lancaster, Pennsylvania, although the case was filed against him in U.S. District Court in Central California. The case is being transferred to Pennsylvania.
Mr. Collings could spend up to five years in jail, but Federal prosecutors are recommending an 18-month sentence instead.
In this case, all it took to access the accounts was a little social engineering in the form of well crafted emails tricking people into handing over their account user names and passwords. Had they enabled two-factor authentication, however, the point would've been moot because half of the information needed to access the accounts would be only in the hands of the account holders.
Apple has instructions detailing how to enable two-factor authentication, as does Google. If you aren't taking advantage of the stronger security two-factor authentication offers, now would be a good time to set it up for your Apple and Google accounts.
[Thanks to NBC News for the heads up]