Individual Who Compromised Over 1,000 Email Accounts At A New York City University Pleads Guilty
For Immediate Release
U.S. Attorney's Office, Southern District of New York
Joon H. Kim, the Acting United States Attorney for the Southern District of New York, announced that JONATHAN POWELL pled guilty today to one count of fraud in connection with his scheme to obtain unauthorized access to more than 1,000 email accounts maintained by a New York City area university in order to download sexually explicit photos and videos. POWELL pled guilty earlier today in Manhattan federal court before United States District Judge Alison J. Nathan.
Acting U.S. Attorney Joon H. Kim said: “From a computer in Arizona, Jonathan Powell wreaked havoc on the email servers of a New York area university. To feed his perverse desire for personal photos and videos, Powell hacked into hundreds of student and faculty email accounts by surreptitiously changing their passwords. Cybercrime is a threat to organizations large and small, from big companies to local universities. Luckily, the FBI was able to stop Powell before he victimized others.”
According to the allegations in the Information to which POWELL pled guilty, a criminal complaint filed against POWELL, as well as statements made during the plea and other proceedings in the case:
From October 2015 up to September 2016, POWELL obtained unauthorized access to email accounts hosted by a U.S.-based university which has its primary campus in New York, New York (“University-1”). POWELL obtained unauthorized access to these accounts by accessing the password reset utility maintained by the email servers at Univeristy-1, which was designed to allow authorized users to reset forgotten passwords to accounts. POWELL utilized the password reset utility to change the email account passwords of students and others affiliated with University-1. Once POWELL gained access to the compromised email accounts (the “Compromised Accounts”), he obtained unauthorized access to other password-protected email, social media, and online accounts to which the Compromised Accounts were registered, including, but not limited to, Apple iCloud, Facebook, Google, LinkedIn, and Yahoo! accounts.
Specifically, using the Compromised Accounts, POWELL requested password resets for linked accounts hosted by those websites (the “Linked Accounts”), resulting in password reset emails being sent to the Compromised Accounts, which allowed POWELL to change the passwords for the Linked Accounts. POWELL then logged into the Linked Accounts and searched within the Linked Accounts, gaining access to private and confidential content stored in the Linked Accounts. In one instance, POWELL searched a University-1 student’s linked Gmail account for digital photographs and for various lewd terms. The Government’s investigation ultimately revealed that POWELL accessed the Compromised and Linked Accounts at least in part to download sexually explicit photographs and videos of college-aged women.
An analysis of University-1 password reset utility logs and other data revealed that POWELL accessed the University-1 password reset utility approximately 18,640 different times between October 2015 and September 2016. During that timeframe, POWELL attempted approximately 18,600 password changes in connection with approximately 2,054 unique University-1 email accounts, and succeeded in making 1,378 password changes in connection with approximately 1,035 unique University-1 email accounts, in some cases compromising the same email accounts multiple times.
* * *
POWELL, 30, of Phoenix, Arizona, was arrested on November 2, 2016. POWELL pled guilty today to one count of fraud in connection with computers, which carries a maximum sentence of five years in prison. The maximum potential sentence in this case is prescribed by Congress and is provided here for informational purposes only, as the defendant’s sentence will be determined by the judge.
POWELL is scheduled to be sentenced on December 1, 2017, at 12 p.m.
Mr. Kim praised the investigative work of the FBI.
The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit. Assistant United States Attorney Christopher J. DiMase is in charge of the prosecution.
Updated August 10, 2017
Press Release Number: 17-248