A 20-year-old man from Phoenix, Arizona has been arrested and charged for allegedly hacking into thousands of student email accounts at multiple universities around the United States.
Johnathan Powell was arrested on November 2 for allegedly compromising thousands of email accounts using his work computer while targeting an unnamed New York City area university, the U.S. Department of Justice revealed.
Powell also went on to compromise other online and social media accounts linked to the university email accounts, before mining those linked accounts to access email accounts at over 75 other universities across the United States. Prosecutors also allege that Powell caused losses of over $5,000 during his hacking spree.
Highlighting the case as a ‘wakeup call’ for universities and educational institutions around the country, Manhattan U.S. Attorney Preet Bharara stated:
As alleged, Johnathan Powell targeted dozens of universities around the country, successfully hacking into student email accounts hosted on at least two universities’ servers and accessing the social media, email, and other online accounts of many of those students.
“Powell allegedly stole students’ personal information and searched their photos for potentially embarrassing content,” Bharara added.
Powell is alleged to have attempted unauthorized access to over 2,000 university accounts, while “sitting at a computer more than 2,000 miles away,” added FBI Assistant Director William F. Sweeney Jr.
The law enforcement agent further revealed that Powell had used password reset tools to unlock thousands of personal storage spaces online before accessing personal content illegally. The accounts that he compromised further from his initial hack of email accounts include those on popular platforms such as Facebook, Google, Yahoo!, LinkedIn and Apple iCloud, among others.
An analysis of the compromised University’s reset utility logs and other data revealed that Powell had used the institution’s password reset utility approximately 18,640 times between October 2015 and September 2016. During that period, Powell attempted about 18,600 password changes in relation to approximately 2,054 unique university email accounts, ultimately succeeding to make 1,378 password changes in connection with approximately 1,035 university email accounts.
Predictably, that trend replicates with other targeted and compromised universities.
Powell is charged with one count of fraud in connection with computers, a charge that carries a maximum sentence of five years in prison.
Image credit: Pexels.