Investigators uncovered Herrera's activities when looking into a 2014 "Celebgate" incident that saw the private photos of dozens of celebrities leaked online after their iCloud usernames and passwords were obtained through phishing attempts.
Herrera used a phishing scheme to get the usernames and passwords of his victims, sending fake emails that appeared to be from Apple and Google. He stole credentials from April 27, 2013 to August of 2014, and used that information to access the iCloud and Gmail accounts of multiple celebrities.
Investigators have not found evidence linking Herrera to the actual leaks that saw nude photographs of celebrities uploaded to sites like reddit and 4chan, nor have they determined that Herrera shared the data that he found, but he did access sensitive photographs and videos.
Herrera pled guilty to a felony violation of the Computer Fraud and Abuse act, and he now faces up to five years in federal prison.
Edward Majerczyk and Ryan Collins were previously found to be involved in the Celebgate incident and both pled guilty to similar charges.
When hundreds of nude photos of celebrities were leaked online in 2014, there was initial speculation that iCloud had been hacked, but following an investigation, Apple determined the celebrity accounts had been compromised by weak passwords. A Find My iPhone vulnerability that allowed multiple password entry attempts may have also been at fault.
Apple has since improved security by adding two-factor authentication to iCloud.com, introducing email alerts when an iCloud account is accessed on the web, and requiring app-specific passwords for third-party apps that access iCloud.
Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.