Hacker Ryan Collins pleaded guilty to stealing a number of nude photos — including ones of Jennifer Lawrence — from Apple’s servers. He was snared by the FBI, and in the process of the trial, it became clear that the hack didn’t involve Apple’s services being compromised through brute-forcing or password cracking, but rather that they were the result of social engineering, in the form of a phishing attack.
At the time when the images leaked online, rumors were running wild that Apple’s iCloud services had crumpled under brute-force password-hacking attacks. Apple denied this at the time, and claimed that the hacks were more likely to be a phishing scam. It is now becoming clear that this was indeed the case.
Back in 2014, a number of photographs of celebrities in various states of undress found their way onto the internet after a series of email and Apple iCloud accounts were compromised. Collins was able to download the backups of the iCloud accounts, and apparently extracted the compromising photos from there.
“People store important private information in their online accounts and in their digital devices”, said United States Attorney Eileen M. Decker. “Unauthorized access to such private information is a criminal offense.”
From the court documents, it became clear that the victims of Collins’ attack fell prey to a phishing scam. Collins allegedly sent e-mails to the victims that appeared to come from Google or Apple, warning the victims that their accounts might be compromised, and asking for their login details. The victims would enter their password information. Having gained access to the e-mail address, Collins was able to download e-mails, and get further access to other files, such as iCloud accounts.
According to the prosecutors, he was able to access more than 120 different Gmail and iCloud accounts, and he is being tried for a felony violation of the Computer Fraud and Abuse Act. It’s worth noting that he isn’t being tried for actually uploading the images online. It isn’t clear whether the DoJ is pursuing an investigation into other people who may have had a hand in spreading the images.
Collins has not yet been sentenced, but faces a maximum of five years behind bars, along with fines of up to $250,000. It is expected that he will accept a plea agreement resulting in an 18-month sentence.
Apple added a guide on identifying phishing e-mails to their site in June of last year – after the account hacking scandal broke. In it, they advise that “if you receive an unsolicited email requesting personal information, do not provide any information without first checking directly with the company that appears to be the one requesting this information”. Prudent advice.