Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday.
Arrested in November, 2016, Powell, a resident of Phoenix, Arizona, pleaded guilty last August in a New York court to accessing email accounts without authorization at two universities: Pace University in New York, and another unnamed university in Pennsylvania.
Powell's hacking consisted of abusing the universities' web-based password reset mechanism for student email accounts. According to prosecutors' court filings [PDF], staff at one of the universities realized someone was slamming the password reset functionality, and hired a computer forensics firm to investigate. That biz found the reset utility had been accessed from a device issued to Powell 18,640 different times between October 2015 and September 2016.
"During that time frame, those Reset Utility accesses resulted in approximately 18,600 attempted password changes in connection with approximately 2,054 unique [Pace] email accounts, and approximately 1,378 successful password changes in connection with approximately 1,035 unique [Pace] email accounts," explained FBI special agent Christopher Merriman in the complaint.
The university's account reset process at the time required answering two security questions from a list of questions presented to the person activating the account.
Court documents do not reveal how Powell managed to guess over a thousand security questions correctly. But a LinkedIn account for Jonathan C. Powell in Phoenix, Arizona, that matches educational details cited in court documents suggests a possible explanation: he appears to have worked as a financial recruiter for staffing firm Robert Half.
His work experience may have provided insight into how to find answers to common security questions.
According to Merriman's account, the tablet Powell used for his scheme exhibited a pattern of "searching for biographical information about an individual victim" and then "leveraging that information to gain access to the individual victim's email accounts via password reset utilities – for example, questions about the individual's high school mascot and the names of the individual's grandparents."
The Register asked a Robert Half spokesperson for comment but we've not heard back.
In any event, having obtained access to students' university email accounts, he was then able to obtain access to online accounts for other services, including Apple iCloud, Facebook, Google, Linkedin, and Yahoo!, using the same technique.
Powell's interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice.
In a statement, Geoffrey S. Berman, the United States Attorney for the Southern District of New York, said: "No college student should have to fear that personal, private information could be mined by strangers for potentially compromising material."
According to the US Department of Justice, the probe revealed that Powell had compromised 15 email accounts at the unidentified Pennsylvania university. And in a statement made to investigators after his arrest, Powell is said to have admitted accessing email accounts without authorization at several other schools in Arizona, Florida, Ohio and Texas.
Merriman's statement in the complaint indicates that the device used by Powell "accessed student directories and login portals associated with more than 75 other colleges or universities located in various locations across the United States."
In addition to his six-month sentence, Powell faces two years of supervised release and restitution of $278,855. ®