Pennsylvania Man Behind Hacking of Celebrity iCloud Accounts Pleads Guilty

icloud_icon_blueRyan Collins, the 36-year-old Pennsylvania man behind the hacking of celebrity iCloud accounts in 2014, has signed a plea agreement and agreed to plead guilty to a violation of the Computer Fraud and Abuse Act, the Department of Justice announced (via Gawker).

Collins spent two years (November 2012 to September 2014) engaged in a phishing scheme to obtain the usernames and passwords of his victims, according to the "factual basis of the plea agreement." He sent his victims emails that appeared to be from Apple and Google, asking them to provide their usernames and passwords.

Once Collins obtained the data, he used them to illegally access accounts and extracted private information, which included nude photographs and videos. He also used a software program to download some of the victims' iCloud backups. While Collins obtained the private photos and videos, investigators have not been able to find any evidence that he leaked, shared or uploaded them to the Internet.
“By illegally accessing intimate details of his victims' personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity,” said David Bowdich, the Assistant Director in Charge of the FBI’s Los Angeles Field Office. “We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information.”
Collins has been charged in Los Angeles, but the case will be transferred to Harrisburg, Pennsylvania so that he can enter his guilty plea. He will face a statutory maximum sentence of five years in federal prison, but the parties have agreed to recommend a prison term of 18 months. The DoJ stresses that the recommendation is not binding to the sentencing judge.

Shortly after the breach occurred in September 2014, Apple conducted an investigation that revealed the accounts were compromised by weak passwords. The company then made several changes, adding email alerts when iCloud accounts are accessed on the web, app-specific passwords for third-party apps accessing iCloud and enabling two-factor authorization on iCloud.com.


Top Rated Comments

(View all)
Avatar
19 weeks ago
Facts: Google AND Apple AND other users were persuaded to tell a stranger their passwords, so no hacking was needed.

Media headlines that will be remembered forever: APPLE'S SYSTEM WAS HACKED!!!!
Rating: 15 Votes
Avatar
19 weeks ago
You guys forgot to include:

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues ('http://forums.macrumors.com/forumdisplay.php?f=47') forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Rating: 12 Votes
Avatar
19 weeks ago

Nope they we're not! have you ever seen Amateur photos? are all porn!, JLaw's was just erotic nude photos that many others actress already done it in movies, the other photos of her were fake and was someone else. $$$$ JLaw! she one of main reason why PirateBay went down a month later
Why people are supporting her is beyond me! The whole thing was just to promote herself, if you don't agree with me than please explain how there's isn't one porn photo of her from 100 photos?


W..T...F....?

Jennifer Lawrence needed to 'promote' herself? She chose 4chan as a place do do it? It's 'suspicious' she didn't have any porn pictures in her account? Suspicious? Amateur's photos are all porn? You have a really messed up view of what women should be doing with their time. 'She was asking for it,' is not a great way to justify your invasion of her privacy.
Rating: 9 Votes
Avatar
19 weeks ago
Clueless people being duped into giving away their passwords is not being 'hacked'.
Rating: 5 Votes
Avatar
19 weeks ago
Cant complain. Jennifer Lawrence's nudes were amazing to say the least
Rating: 5 Votes
Avatar
19 weeks ago

Collins spent two years (November 2012 to September 2014) engaged in a phishing scheme to obtain the usernames and passwords of his victims


So in other words it had nothing to do with iCloud security as the perennial Apple bashers love to go on about but stupid people doing stupid things. Maybe in future before people jump into bashing Apple that such individuals realise that the weakest link is the end user himself/herself rather than it necessarily being the result of lax security on the part of the service provider.
Rating: 5 Votes
Avatar
19 weeks ago
So can the I DON'T TRUST APPLE OR THEIR CLOUD SECURITY crowd finally admit defeat? For now, at least.
Rating: 3 Votes
Avatar
19 weeks ago
From what I'm reading here, it doesn't seem like this was a case of someone discovering a weakness in iCloud security and exploiting it to gain access. The title of the article is therefore misleading. Phishing is not the same thing. I believe that phishing is when someone cons you into handing over sensitive information.

This incident should serve as a reminder of the fact that one should never send sensitive information like login credentials or credit card information over email. No service provider should ask you to send that kind of information by email. For example, if your bank wants to check with you about possible fraudulent activity, they would call and ask you call them back. As an another example, if there's something going on with your email account, the service provider should give you a link where you can verify that the link is real.
Rating: 2 Votes
Avatar
19 weeks ago

There were plenty of smart, well-informed Linux users whose passwords got stolen due to the Bash bug.

The fact is that many users don't know enough about security to know what attackers can/can't fake, so the service providers have to act accordingly. There are websites like "login.security.icloud.password.apple.com.appel.biz" or, if your browser supports it, "аpple.com" (with the Cyrillic "a"). Seems reasonable for people to fall for those. Or people don't know what HTTPS is and why it needs to be verified. Or they weren't born with computers and don't understand that anyone can send an email that looks like it's from Apple.

Also, I'll bet if Apple didn't even require a password, at least 10% of users wouldn't set one. They don't know better. Is that what you want?


And it is clear that you didn't read what I wrote originally because I clearly stated that the issue was the fact that the passwords were not acquired through a lapse in security at Apple or because of a bug in software (as you noted in the example about BASH) but a very simple phishing which involves people not taking precautions - engaging their brain before doing anything. This my original post:

So in other words it had nothing to do with iCloud security as the perennial Apple bashers love to go on about but stupid people doing stupid things. Maybe in future before people jump into bashing Apple that such individuals realise that the weakest link is the end user himself/herself rather than it necessarily being the result of lax security on the part of the service provider.

Rating: 1 Votes
Avatar
19 weeks ago

I continue to wonder why people take nude pictures of themselves (oh the vanity) and then store them where it can easily be gotten to. My recommendation is first DON'T take nude selfies. Second, if you didn't listen to number 1 at least store them in an offline media and lock it up at home somewhere.

Clearly this guy did wrong and needs to be punished, but others will follow and if they somehow get to my stuff, they will find lots of junk but no nudies. Of me or anyone else.


I bet you're great fun at parties :p

It's a tired trope but this statement does border on the "she was asking for it by dressing that way." How people choose to express themselves with those closest to them via a medium that *should* be private is entirely up to them. Some people are in long distance relationships and use technology to increase intimacy when physical presence isn't possible, there nothing wrong with that or for that matter someone just wanting to titillate a bit with a person they trust. I could be wrong but perhaps this is just philosophical for you, I seem to recall you being in favor of a method of decryption in particular cases; maybe you feel that privacy isn't an inherent right and we all need to behave accordingly.
Rating: 1 Votes
[ Read All Comments ]