A 29-year-old man from Phoenix, Arizona, was arrested on Wednesday (2 October) for allegedly hacking into more than 1,000 student email accounts at two universities and attempting to do the same at more than 75 other universities across the US. Jonathan Powell was arrested based on a criminal complaint and charged with one count of fraud in connection with computers, the Department of Justice said.
"As alleged, Jonathan Powell targeted dozens of universities around the country, successfully hacking into student email accounts hosted on at least two universities' servers and accessing the social media, email, and other online accounts of many of those students," Manhattan US attorney Preet Bharara said in a statement. "Powell allegedly stole students' personal information and searched their photos for potentially embarrassing content.
"This case should serve as a wakeup call for universities and educational institutions around the country. There is no greater threat to our security and personal privacy than the cyber threat, and hackers must be identified, stopped, and punished."
From his work place, Powell allegedly used password reset tools to try and hack thousands of email accounts at two universities in New York and Pennsylvania between October 2015 and September 2016.
After successfully breaching the email accounts, he then allegedly accessed other password-protected social media and online accounts linked to the compromised account including Apple iCloud, Facebook, LinkedIn, Google and Yahoo. Powell also requested password resets for the linked accounts and changed them to gain access to other private and confidential data stored in these accounts, the complaint claimed.
Prosecutors alleged that Powell also mined the accounts for potentially embarrassing content. In one instance, Powell is said to have searched a New York-based university student's linked Gmail account for digital photographs using the key terms such as "naked" and "horny".
"Powell used password reset tools to basically pick the lock of thousands of personal spaces and look around at what was stored there," FBI assistant director William F Sweeney Jr claimed.
"Cybercrime victims can be large companies or individual users who have their network or accounts accessed illegally, even if there is no theft. The FBI takes seriously any allegations of intrusions, and we will continue to hold accountable those who pose a threat in cyberspace."
After analysing the password reset utility logs and other data, the unnamed New York university found that Powell allegedly accessed the password reset tool around 18,640 times between October 2015 and September 2016. He also allegedly attempted around 18,600 password changes in connection with over 2,000 university email accounts and successfully managed to change the passwords for over 1,000 accounts, the complaint said.
In September, Powell allegedly attempted to change the passwords for nearly 220 email accounts at an unidentified university in Pennsylvania and successfully changed the passwords for around 15 accounts, prosecutors said. They also noted that Powell accessed student directories and login portals at more than 75 other colleges and universities across the country.
Powell faces up to five years in prison and was expected to be presented at a federal court in Phoenix later on Wednesday.