Former! Yahoo! engineer! admits! to! hacking! user! emails! for! smutty! snaps!

Yahooligan accessed about 6,000 accounts to hunt for revealing photos and videos


Former Yahoo! software engineer Reyes Daniel Ruiz has pleaded guilty in a California federal court to one count of computer intrusion after breaking into customers' Yahoo! emails and accounts at other service providers to obtain private data, mainly sexual images and videos of account holders.

According to the Office of the US Attorney of Northern California, Ruiz, a 34-year-old resident of Tracy, California, abused his internal access at Yahoo! to hack into about 6,000 accounts in May and June last year. He then used the information he obtained to compromise other online services used by Yahoo! customers, such as Dropbox, Facebook, Gmail, and iCloud.

The incident pales in comparison to the 2013 hack that led to the compromise of all three billion Yahoo! accounts. But such mischief can't be ignored.

hole

Yahoo! customers! wake! up! to! borked! email! (Yes! people! still! actually! use! it!)

READ MORE

The US Attorney's Office said Ruiz acknowledged targeting accounts that belonged to young women, including those of friends and colleagues.

Ruiz is said to have copied images and videos he accessed and stored the files at home. And once Yahoo! detected suspicious account activity, Ruiz admitted destroying the computer and hard drive where he'd stored the purloined files.

Ruiz was indicted by a federal grand jury on April 4, 2019. The court records have not yet been made available. The Register has asked the Department of Justice for a copy of the indictment but we've not heard back.

A sentencing hearing has been scheduled for February 3, 2020; Ruiz is currently on release, subject to a $200,000 bond. The maximum penalty for computer intrusion is five years imprisonment, a fine of $250,000, and restitution to the victims. ®

Broader topics


Other stories you might like

  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Apple gets lawsuit over Meltdown and Spectre dismissed
    Judge finds security is not a central feature of iDevices

    A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.

    The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.

    Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."

    Continue reading
  • Apple M1 chip contains hardware vulnerability that bypasses memory defense
    MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication

    Apple's M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success.

    MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip's pointer authentication, a security mechanism that tries to prevent an attacker from modifying memory references without being detected.

    In a paper titled "PACMAN: Attacking Arm Pointer Authentication with Speculative Execution," Joseph Ravichandran, ​​Weon Taek Na, Jay Lang, and Mengjia Yan describe how they were able to use speculative execution – the way in which modern processors perform calculations before they may or may not be needed, to accelerate execution – to discern the pointer authentication code that allows pointer modification on a protected system.

    Continue reading

Biting the hand that feeds IT © 1998–2022