A 36-year-old Pennsylvania man has pleaded guilty to hacking the iCloud and Gmail accounts of over 100 celebrities after phishing their details.
A Department of Justice statement on Tuesday claimed that Ryan Collins of Lancaster in the Keystone State pleaded guilty to a violation of the Computer Fraud and Abuse Act and one count of “unauthorized access to a protected computer to obtain information.”
In reality, what that means is that from November 2012 until the beginning of September 2014 he engaged in a long-running phishing campaign targeting various celebrities.
Collins is said to have sent them phishing emails purporting to come from Apple or Google, requesting their log-in details.
With these usernames and passwords he was then able to access at least 50 iCloud accounts and 72 Gmail accounts, most of which belonged to female celebrities, and download any nude photos or videos he came across.
It is claimed he also used an unnamed software program to download the entire contents of some celebs’ iCloud back-ups.
However, curiously, although Collins was brought to justice on the back of an investigation launched into the so-called “Celebgate” leaks of 2014, officers haven’t yet uncovered any evidence that he shared or uploaded the information.
Although there’s a statutory five-year sentence for the crimes Collins has pleaded guilty to, the parties involved have agreed a term of 18 months, the DoJ statement claimed.
“By illegally accessing intimate details of his victims' personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity,” said David Bowdich, assistant director in charge of the FBI’s Los Angeles Field Office.
“We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information.”
Speculation was rife at the time of the leaks that an individual had brute-forced the accounts, but now it seems that wasn’t the case unless other parties were involved.
Either way, it remains that if Apple had mandated two-factor authentication for iCloud access then the accounts would probably have remained secure.