Virginia Teacher Sentenced to 34 Months in Prison for 2014 Celebrity iCloud Hack

[MacRumors]

For his role in the 2014 iCloud hacks that saw many celebrity photos illicitly shared on the internet, former high school teacher Christopher Brannan has been sentenced to 34 months in prison, according to the U.S. Attorney's Office for the Eastern District of Virginia (via AppleInsider).

Brannan was charged with unauthorized access to a protected computer and aggravated identity theft. Court documents say that he accessed the iCloud, Yahoo, Facebook, and email accounts of more than 200 victims, both celebrities and non-celebrities.

He was able to obtain full iCloud backups, photographs, and other information using phishing email accounts that were designed to look like legitimate emails from Apple. He also hacked email accounts by answering security questions using data found on victims' Facebook accounts.

After obtaining Apple account information, Brannan would search for "sensitive and private photographs and videos, including nude photographs."

Brannan is one of multiple people who were found accessing and distributing celebrity photos in the 2014 attack. Ryan Collins, Edward Majerczyk, and Emilio Herrera, and George Garafano have previously been sentenced to prison terms ranging from eight months to 18 months.

When hundreds of nude celebrity photos began leaking on the internet in 2014 as part of what's now known as the "Celebgate" attack, there was initial speculation that iCloud had been hacked.

Following an investigation, however, Apple found that the accounts in question were compromised by weak passwords and skilled phishing attempts.

Apple has since implemented multiple changes to iCloud security, adding two-factor authentication to iCloud.com, introducing email alerts when an iCloud account is accessed either on the web or on another device, and requiring app-specific passwords for third-party apps that access iCloud.

Unfortunately, the kind of phishing emails that led to the 2014 celebrity leak are still widely used today, and phishing scammers have only gotten better at what they do.

To thwart phishing attempts, Apple maintains a support page with information on how to avoid fake support calls, phishing emails, and other scam techniques that malicious individuals employ to extract information from Apple users.

Those concerned about being the victim of a phishing attack should take measures to stay safe, including using two-factor authentication, getting a password manager like 1Password and using a unique password for each and every site, and avoiding suspicious phone calls and emails, even if they look like they come from Apple.

Article Link: Virginia Teacher Sentenced to 34 Months in Prison for 2014 Celebrity iCloud Hack

 

[johnalan]

What a way to treat a national treasure.

 

[adamdport]

Apple found that the accounts in question were compromised by weak passwords

If they're storing passwords correctly, how would they know that?

 

[JimmyHook]

There has never been a hack of iCloud period. The law requires any hacks be reported, none have, therefore iCloud is still the most secure cloud service in existence
[doublepost=1551468630][/doublepost]

If they're storing passwords correctly, how would they know that?

By asking the account owners during an investigation is the most likely answer

 

[Apple_Robert]

Glad he is going to prison. I am also glad that Apple initiated 2FA to help people be more secure with their account.

 

[cmaier]

If they're storing passwords correctly, how would they know that?

Presumably they worked with the victims, or they ran a dictionary attack and found that they could crack the password themselves in 3 minutes?

 

[Bornee35]

He is a folk hero and leader of the Fappening, the William Wallace for lonely men everywhere.

 

[eeboarder]

Ah, yes. The “Fappening”!

 

[zorinlynx]

Ah, yes. The “Fappening”!

I know, right? I'm not sure why the post called it "Celebgate". I've never heard it called that! It's always been "The Fappening".

 

[Fortimir]

"...as part of what's now known as the "Celebgate" attack."

Stop trying to make "Celebgate" happen. It's not going to happen.

 

[MagicBoy]

Since when was it called Celebgate? I'm told the torrent file was called "The Fappening".

 

[webbuzz]

He is a folk hero and leader of the Fappening, the William Wallace for lonely men everywhere.

A visual of Hope Solo was cemented in my brain.

 

[mi7chy]

Pretty weak security measures when a high school teacher can breach them. It's the breach that keeps on giving since once it's on the internet it's there forever with no way to remove.

 

[poe diddley]

he's a hero really for at least two reasons.
1. he exposed a serious security problem that did get addressed
2. he answered a lot of prayers

 

[cocky jeremy]

Why would he get arrested for "unauthorized access" to a computer if they literally gave him the passwords?

 

[NT1440]

Pretty weak security measures when a high school teacher can breach them. It's the breach that keeps on giving since once it's on the internet it's there forever with no way to remove.

No amount of security is going to get around people handing someone their password. Social engineering is not a “hack”.

 

[guzhogi]

Why would he get arrested for "unauthorized access" to a computer if they literally gave him the passwords?

They didn't give him they're passwords in a "Here, do whatever you want with them," attitude. He probably fooled them by sending them a FAKE "Please log into your iCloud account" email or something similar.

 

[ipedro]

It was not a hack. You should know better, this is a tech website. We have a hard enough time correcting the misconception that iCloud was hacked (it wasn’t), we don’t need Macrumors reinforcing it.

This was social engineering, phishing celebrities into giving up their passwords voluntarily.

 

[Juicy Box]

He probably fooled them by sending them a FAKE "Please log into your iCloud account" email or something similar.

Maybe I am clueless, but I had no idea that phishing emails were illegal......

 

[NT1440]

It was not a hack. You should know better, this is a tech website. We have a hard enough time correcting the misconception that iCloud was hacked (it wasn’t), we don’t need Macrumors reinforcing it.

This was social engineering, phishing celebrities into giving up their passwords voluntarily.

Yup, poor form MR. This mislabeling could be excused from the likes of Bloomberg tech “reporting”, but MR is supposed to be a bit more tech savvy.

 

[thisisnotmyname]

"Celebgate?" That wasn't the term I heard. I guess what I heard probably isn't G-rated though.

Edit to add: looking at comments above I see I'm not the only one who heard that other name.

Edit 2: really disappointing to see so many comments about "hero" when someone exposed intimate images of strangers. Celebrity or not, no one deserves that.

 

[mattopotamus]

Maybe I am clueless, but I had no idea that phishing emails were illegal......

Just because someone "gives" you the info doesn't mean you can legally do with it what you want. At the very least it could be considered "theft by deception" or "electronic transfer of sexual material without permission".

 

[69Mustang]

It was not a hack. You should know better, this is a tech website. We have a hard enough time correcting the misconception that iCloud was hacked (it wasn’t), we don’t need Macrumors reinforcing it.

This was social engineering, phishing celebrities into giving up their passwords voluntarily.

You are peeing up a virtual rope trying to get that perception corrected. It is emblazoned on the social consciousness as the iCloud hack. It is what it is. You'd have no more success than I would telling certain Apple fans Google doesn't sell your data. By the time I get to "...ad space based on anon-...", nothing but the proverbial 1000 yard stare ← metaphorical
Google sells data and iCloud was hacked. Whaddayagonnado. ¯\_(ツ)_/¯

 

[Dr. James]

But I thought it was the hacker known as 4chan

 

[Moonlight]

NOT A HACK