1. Edward Majerczyk

An Illinois man was charged today with felony computer hacking related to a phishing scheme that gave him illegal access to over 300 Apple iCloud and Gmail accounts, including those belonging to members of the entertainment industry in Los Angeles.

Edward Majerczyk, 28, who resides in Chicago and Orland Park, Illinois, was named in a criminal information filed today in United States District Court in Los Angeles. Majerczyk has signed a plea agreement in which he agrees to plead guilty to a felony violation of the Computer Fraud and Abuse Act, specifically, one count of unauthorized access to a protected computer to obtain information.

Although Majerczyk has been charged in Los Angeles, the parties have agreed to transfer the case to the Northern District of Illinois for the entry of his guilty plea and sentencing. Once he enters the guilty plea, Majerczyk will face a statutory maximum sentence of five years in federal prison.

“Hacking of online accounts to steal personal information is not merely an intrusion of an individual’s privacy but is a serious violation of federal law,” said United States Attorney Eileen M. Decker. “Defendant’s conduct was a profound intrusion into the privacy of his victims and created vulnerabilities at multiple online service providers.”

Majerczyk’s plea agreement was lodged today in United States District Court for the Central District of California and will be executed upon transfer of the case to the Northern District of Illinois. According to the factual basis in the plea agreement, from November 23, 2013 through August 2014, Majerczyk engaged in a phishing scheme to obtain usernames and passwords for his victims. He sent e-mails to victims that appeared to be from security accounts of internet service providers that directed the victims to a website that would collect the victims’ usernames and passwords. After victims responded by entering information at that website, Majerczyk had access to victims’ usernames and passwords. After illegally accessing the iCloud and Gmail accounts, Majerczyk obtained personal information including sensitive and private photographs and videos, according to his plea agreement.

“This defendant not only hacked into e-mail accounts – he hacked into his victims’ private lives, causing embarrassment and lasting harm,” said Deirdre Fike, the Assistant Director in Charge of the FBI’s Los Angeles Field Office. “As most of us use devices containing private information, cases like this remind us to protect our data.  Members of society whose information is in demand can be even more vulnerable, and directly targeted.”

The charge against Majerczyk stems from the investigation into the leaks of photographs of numerous female celebrities in September 2014 known as “Celebgate.” However, investigators have not uncovered any evidence linking Majerczyk to the actual leaks. Many of Majerczyk’s victims were members of the entertainment industry in Los Angeles. By illegally accessing the e-mail accounts, Majerczyk accessed at least 300 accounts, and at least 30 accounts belonging to celebrities.

The case against Majerczyk is the product of an investigation by the Federal Bureau of Investigation. The case is being prosecuted by Assistant United States Attorneys Ryan White and Vicki Chou of the Cyber and Intellectual Property Crimes Section.

2. Ryan Collins

A Pennsylvania man was charged March 15, 2016 with felony computer hacking related to a phishing scheme that gave him illegal access to over 100 Apple and Google e-mail accounts, including those belonging to members of the entertainment industry in Los Angeles.

Ryan Collins, 36, of Lancaster, Pennsylvania, has signed a plea agreement and agreed to plead guilty to a felony violation of the Computer Fraud and Abuse Act. In the plea agreement also filed March 15, 2016, Collins agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information.

Although Collins has been charged in Los Angeles, the parties have agreed to transfer the case to Harrisburg in the Middle District of Pennsylvania, near Collins’ home, for the entry of his guilty plea and sentencing. Once he enters the guilty plea, Collins will face a statutory maximum sentence of five years in federal prison. The parties have agreed to recommend a prison term of 18 months, but that recommendation will not be binding on the sentencing judge.

“Today, people store important private information in their online accounts and in their digital devices,” said United States Attorney Eileen M. Decker. “Lawless unauthorized access to such private information is a criminal offense. My Office remains committed to protecting sensitive and personal information from the malicious actions of sophisticated hackers and cyber criminals.”

According to factual basis in the plea agreement, from November 2012 until the beginning of September 2014, Collins engaged in a phishing scheme to obtain usernames and passwords for his victims. He sent e-mails to victims that appeared to be from Apple or Google and asked victims to provider their usernames and passwords. When the victims responded, Collins then had access to the victims’ e-mail accounts. After illegally accessing the e-mail accounts, Collins obtained personal information including nude photographs and videos, according to his plea agreement. In some instances, Collins would use a software program to download the entire contents of the victims’ Apple iCloud backups.

The charge against Collins stems from the investigation into the leaks of photographs of numerous female celebrities in September 2014 known as “Celebgate.” However, investigators have not uncovered any evidence linking Collins to the actual leaks or that Collins shared or uploaded the information he obtained.

Many of Collins’ victims were members of the entertainment industry in Los Angeles. By illegally accessing the e-mail accounts, Collins accessed at least 50 iCloud accounts and 72 Gmail accounts, most of which belonged to female celebrities.

“By illegally accessing intimate details of his victims' personal lives, Mr. Collins violated their privacy and left many to contend with lasting emotional distress, embarrassment and feelings of insecurity,” said David Bowdich, the Assistant Director in Charge of the FBI’s Los Angeles Field Office. “We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information.”

Apple’s Response to the theft when it became public

"We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."

3. How To protect yourself against this type of attack

IMAGE SOURCE: Apple
Your Apple ID is the account you use to access Apple services like the App Store, Apple Music, iCloud, iMessage, FaceTime, and more. It includes the email address and password you use to sign in as well as all the contact, payment, and security details you'll use across Apple services. Apple takes the privacy of your personal information very seriously and employs industry-standard practices to safeguard your Apple ID.

Here are some of the best practices you can follow to maximize the security of your account.

Use a strong password for your Apple ID

Apple policy requires you use strong passwords with your Apple ID. Your password must have 8 or more characters and include upper and lowercase letters, and at least one number. You can also add extra characters and punctuation marks to make your password even stronger. Apple also uses other password rules to make sure your password isn't easy to guess.

If you aren’t sure if you have a strong password, visit your Apple ID account page to reset your password as soon as possible.

Make the answers to your security questions hard to guess

Apple uses security questions to provide you with a secondary method to identify yourself online or when contacting Apple Support. Security questions are designed to be memorable to you but hard for anyone else to guess. When used in conjunction with other identifying information, they help Apple verify that you are the person who is requesting access to your account. If you haven't selected your security questions, visit your Apple ID account page to set them up.

Another Celebrity Hacker Charged
IMAGE SOURCE: APPLE

Protect your account with two-factor authentication

Apple offers an improved security method called two-factor authentication designed to ensure all the photos, documents, and other important data you store with Apple can be accessed only by you, and only with your devices. When you enter your Apple ID and password for the first time on a new device, we’ll ask you to verify your identity with a six-digit verification code. This code is displayed automatically on your other devices, or sent to a phone number you trust. Just enter the code to sign in and access your account on the new device. Never share your password or verification code with anyone else.

Two-factor authentication is built right in to iOS 9 and OS X El Capitan. It's currently available to users who meet specific account and system requirements.

Protect your account with two-step verification

Apple also offers an optional security enhancement for your Apple ID called two-step verification. Two-step verification requires you to verify your identity using one of your devices before you can make changes to your Apple ID account information, sign in to iCloud, or make an iTunes, App, or iBooks Store purchase from a new device.

Never share your password, Recovery Key, or verification code with anyone else.

Check for encryption and SSL

All web pages where you can view or change your Apple ID utilize Secure Sockets Layer (SSL) to protect your privacy. In Safari, look for  the Lock icon in your browser when accessing your account at your Apple ID account page to know your session is fully encrypted and secure.

Another Celebrity Hacker Charged
IMAGE SOURCE: Apple

Employee privacy and security policies

In addition to strong passwords, encryption, and other technology, Apple has strict policies and procedures in place to prevent unauthorized access to your account. Without proof of your identity via security questions and other carefully selected criteria, Apple Support can't help you reset a password or perform any other actions on your account. These policies are audited and reviewed on a regular basis.

Other tips for keeping your account secure

Good online security requires a combination of practices by companies using Internet services and informed behavior by users. Below are some tips to follow to maximize your security when using your Apple ID and other online accounts.

  • Always use a strong password.
  • Never use your Apple ID password with other online accounts.
  • Change your password regularly and avoid reusing old passwords.
  • Choose security questions and answers that can't be easily guessed. Your answers can even be nonsense as long as you can remember them. For example, Question: What is your favorite color? Answer: Mozart.
  • Set up two-factor authentication for your Apple ID to add an extra layer of security to your account and eliminate the need for security questions.
  • Avoid phishing scams. Don’t click on links in suspicious email or text messages and never provide personal information on any website you aren’t certain is legitimate. Learn how to identify phishing attempts.
  • Never provide your password, security questions, verification codes, recovery key, or any other account security details to anyone else.  Apple will never ask you for this information.
  • Don’t share your Apple ID with other people, even family members.
  • When using a public computer, always sign out when your session is complete to prevent other people from accessing your account.
  • If you abandon an email address or phone number associated with your Apple ID, be sure to update your Apple ID with current information as soon as possible.

Learn what to do if you think your account information has been compromised. If you need more help, contact Apple Support.


Also published on Medium.