Application security, Threat Management

Cybercrime blotter: Phoenix man arrested for hacking university emails

What happened? Jonathan Powell, 29, was arrested by the Federal Bureau of Investigation and charged one count of fraud in connection with computers, which carries a maximum sentence of five years in prison, for attempting to access about 2,000 email accounts maintained by two New York City-area universities. The data mined from the emails was then used to access social media and other accounts.

Background? The FBI stated in court documents it was able to identify a computer owned by Powell as the device used to access the email accounts. This was accomplished by finding the lone IP address responsible for the entries and tracing that identifier back through the ISP to a computer allegedly owned by Powell.

According to the court documents, from about October 2015 to September 2016 Powell, who lives in Phoenix, intentionally accessed protected computer without the account owner's authorization. By doing so he recklessly caused damage and loss during a one-year period costing more than $5,000. Powell gained access to the email accounts by hacking into the network of two unnamed N.Y. City-area universities.

An FBI agent involved with the case stated in the court document that Powell hacked the email accounts by gaining access to them through the password reset utility on the school's email servers. Once inside he reset the account passwords and began digging around for access to a variety of other online accounts including, Apple iCloud, Facebook, Yahoo, Google and LinkedIn. Powell then logged onto these accounts in an attempt to gain access to additional private and confidential content.

An outside consulting firm investigating the hack found that the email server's reset utility was access about 18,640 times from a single external IP address between the dates previously mentioned. During the period in question password resets were attempted on 2,054 email accounts and of which 1,378 were successfully reset.

Jurisdiction: The arrest was announced by Preet Bharra, U.S. Attorney for the Southern District of New York.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

You can skip this ad in 5 seconds