In early September 2014, Apple was preparing to announce a massive iPhone upgrade: bigger iPhones than anything it launched before. But just a few days ahead of the press iPhone 6 press event, an iCloud security scandal broke out. Nude pictures belonging to Jennifer Lawrence and many other celebrities leaked online, originating from iPhone backups.
Apple explained at the time that its iCloud security was not breached and that hackers probably employed phishing schemes to obtain the usernames and passwords from their victims.
Now, 18 months later after the scandal, we finally find out what happened. And it turns out that phishing attacks were indeed used to target the celebrities.
According to NBC News, it’s 36-year-old Ryan Collins the person responsible for phishing login credentials from many celebrities. With usernames and passwords in hand, he was able to log into Gmail accounts and even download iCloud backups from where he extracted nude photos.
What Collins did to gain access to at least 50 iCloud accounts and 72 Gmail accounts between November 2012 and September 2014 was rather simple. He sent his victims emails that looked like they originated from Apple or Google, fooling them into handing their credentials over.
Collins was charged in Los Angeles with violating the Computer Fraud and Abuse Act. He agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information.
The prosecutors recommend a sentence of 18 months, the U.S. Attorney’s Office said, rather than the maximum of five years in prison for the offence.
There’s no evidence that Collins posted the nude photos online, or that he leaked them though the investigation continues.
“By illegally accessing intimate details of his victims’ personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity,” the Assistant Director in Charge of the FBI’s Los Angeles Field Office David Bowdich said.
“We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information.”