Celebgate: Social engineering used to steal celebrity nude photos

jennifer lawrence oscars

Actress Jennifer Lawrence arrives at the 88th Academy Awards nominees luncheon in Beverly Hills, California in this February 8, 2016, file photo. Ryan Collins, a Pennsylvania man, has agreed to plead guilty to a felony computer hacking charge after authorities said he illegally accessed private phone and email accounts of celebrities such as Oscar-winning actress Jennifer Lawrence to leak information including nude pictures.

Credit: REUTERS/Mario Anzuoni/Files

On Tuesday, the Department of Justice, U.S. Attorney’s Office, Central District of California announced that Ryan Collins, 36, of Lancaster, P.a, plead guilty to violation of the Computer Fraud and Abuse Act.

Collins plead guilty to one count of unauthorized access to a protected computer to obtain information. He was facing a maximum sentence of five years in federal prison; however, an agreement has been reached to recommend a sentence of 18 months to the presiding judge.

US Attorney Eileen M. Decker stated, “Lawless unauthorized access to such private information is a criminal offense. My Office remains committed to protecting sensitive and personal information from the malicious actions of sophisticated hackers and cyber criminals.”

According to the plea agreement, Collins admitted that he used social engineering techniques to illegally acquire login information from his victims. He would send e-mails which appeared to be from either Apple or Google, asking his victims to provide their usernames and passwords. Collins then used the information to access the victims’ e-mail accounts, which provided him with personal details including nude photographs and videos. For some accounts it is believed that Collins used IBrute to download the entire contents of the victims’ Apple iCloud backups. Collins is known to have accessed at least 50 iCloud accounts and 72 Gmail accounts, many belonging to female celebrities.

The case against Collins stems from an FBI investigation into leaked photographs of numerous female celebrities beginning in September 2014, dubbed “Celebgate”. However, investigators were unable to link Collins to the actual leaks or prove he shared or uploaded the information that he obtained.

“By illegally accessing intimate details of his victims' personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity,” said David Bowdich, the Assistant Director in Charge of the FBI’s Los Angeles Field Office. “We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information.” 

This is another high profile phishing case, in a long line of high profile phishing cases. What is true for celebrities and the general public is true for business, cybersecurity awareness is sometimes their first, last and only line of defense. The “IBM 2015 Cyber Security Intelligence Index” states that 45% of all breaches were due to insiders and that 95% of those breaches were due to human error. In another words, 42.75% of the average companies’ breaches were due mostly to inadequately or improperly trained personnel.

Law enforcement and the military have a saying, “Train hard, fight easy.” Let’s train our people smarter and harder.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.