Manhattan U.S. Attorney Announces Arrest Of Individual Who Compromised Thousands Of University Email Accounts And Stole Private And Confidential Information
Preet Bharara, the United States Attorney for the Southern District of New York, and William F. Sweeney Jr., Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (“FBI”), announced the arrest of JONATHAN POWELL for obtaining unauthorized access to email accounts maintained by a New York City area university, using his work computer, and causing over $5,000 of loss in the process. POWELL went on to compromise social media and other online accounts linked to the university email accounts, and mined those linked accounts for the users’ login credentials and other private and confidential information. POWELL also attempted to access email accounts at more than 75 other universities around the country. At the time of the alleged offense, POWELL was employed by a private business at its branch office located in Phoenix, Arizona. POWELL was arrested this morning, and is expected to be arraigned in federal court in Phoenix later today before a U.S. Magistrate Judge.
Manhattan U.S. Attorney Preet Bharara said: “As alleged, Jonathan Powell targeted dozens of universities around the country, successfully hacking into student email accounts hosted on at least two universities’ servers and accessing the social media, email, and other online accounts of many of those students. Powell allegedly stole students’ personal information and searched their photos for potentially embarrassing content. This case should serve as a wakeup call for universities and educational institutions around the country. There is no greater threat to our security and personal privacy than the cyber threat, and hackers must be identified, stopped, and punished.”
FBI Assistant Director William F. Sweeney Jr. said: “Sitting at a computer more than 2,000 miles away, Jonathan Powell allegedly attempted unauthorized access to more than 2,000 university email accounts. Powell used password reset tools to basically pick the lock of thousands of personal spaces and look around at what was stored there. Cybercrime victims can be large companies or individual users who have their network or accounts accessed illegally, even if there is no theft. The FBI takes seriously any allegations of intrusions, and we will continue to hold accountable those who pose a threat in cyberspace.”
According to the allegations contained in the Complaint:
From at least in or about October 2015 up to and including at least in or about September 2016, POWELL obtained unauthorized access to email accounts hosted by at least two United States-based educational institutions, including one which has its primary campus in New York, New York (“University-1”). POWELL obtained unauthorized access to these accounts by accessing password reset utilities maintained by the email servers at the victim institutions, which are designed to allow authorized users to reset forgotten passwords to accounts. POWELL utilized the password reset utilities to change the email account passwords of students and others affiliated with those educational institutions. Once POWELL gained access to the compromised email accounts (the “Compromised Accounts”), he obtained unauthorized access to other password-protected email, social media, and online accounts to which the Compromised Accounts were registered, including, but not limited to, Apple iCloud, Facebook, Google, LinkedIn, and Yahoo! accounts. Specifically, using the Compromised Accounts, POWELL requested password resets for linked accounts hosted by those websites (the “Linked Accounts”), resulting in password reset emails being sent to the Compromised Accounts, which allowed POWELL to change the passwords for the Linked Accounts. POWELL then logged into the Linked Accounts and searched within the Linked Accounts, gaining access to private and confidential content stored in the Linked Accounts. In one instance, POWELL searched a University-1 student’s linked Gmail account for digital photographs, and for the terms “password,” “naked,” “cum” and “horny.”
An analysis of University-1 password reset utility logs and other data revealed that POWELL accessed the University-1 password reset utility approximately 18,640 different times between approximately October 2015 and September 2016. During that timeframe, POWELL attempted approximately 18,600 password changes in connection with approximately 2,054 unique University-1 email accounts, and succeeded in making 1,378 password changes in connection with approximately 1,035 unique University-1 email accounts. (The number of successful password changes is greater than the number of compromised University-1 email accounts because certain University-1 email accounts were compromised more than once.)
In or about September 2016, POWELL repeatedly accessed the password reset utility of a second university located in Pennsylvania (“University-2”), in a similar fashion to University‑1. During that timeframe, POWELL attempted to change the email passwords for approximately 220 University-2 email accounts, and successfully changed the email passwords for approximately 15 University-2 email accounts. Following the unauthorized access of those University-2 email accounts, a number of Facebook accounts linked to the compromised University-2 email accounts were also compromised.
The FBI obtained and analyzed the device (the “Device”) assigned to POWELL at his place of employment in Phoenix, Arizona (the “Company”), which POWELL utilized in the above-described scheme. The FBI also obtained from the Company a network backup of certain files on the Device, created on or about September 30, 2016 (the “Device Backup”), which the FBI also analyzed. The Device and Device Backup contain, among other things, a number of documents listing University-1 email account usernames and passwords. Certain documents found on the Device also contain credentials – i.e., usernames and passwords – for logging into various internet service provider (“ISP”) accounts appearing to belong to the same University‑1 email account users.
A review of the Device’s web browser history, covering the period from July 5, 2016, to October 3, 2016, revealed that POWELL accessed student directories and login portals associated with more than 75 other colleges and universities (the “Other Universities”) across the United States. An analysis of the Device Backup demonstrated that the Device Backup contains several documents with filenames that refer to certain of the Other Universities. Those documents contain what appear to be login credentials for a variety of password-protected accounts linked to email accounts at certain of the Other Universities.
* * *
POWELL, 29, of Phoenix, Arizona, is charged with one count of fraud in connection with computers, which carries a maximum sentence of five years in prison. The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.
Mr. Bharara praised the investigative work of the FBI.
The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit. Assistant United States Attorneys Christopher J. DiMase and Timothy Howard are in charge of the prosecution.
The charge contained in the Complaint is merely an accusation, and the defendant is presumed innocent unless and until proven guilty.
 As the introductory phase signifies, the entirety of the text of the Complaint, and the description of the Complaint set forth herein, constitute only allegations, and every fact described should be treated as an allegation.