Naked Security Naked Security

Ex-Yahoo engineer pleads guilty to hacking 6,000 accounts

Reyes Daniel Ruiz went after younger women's accounts, including those of his personal friends and work colleagues, he admitted.

A former Yahoo software engineer pleaded guilty in federal court on Monday to being a lech who broke into mostly young women’s Yahoo accounts – 6,000 of them – trying to sniff out salacious photos and videos.

According to the US Attorney’s Office for the Northern District of California, in his guilty plea, Reyes Daniel Ruiz admitted to cracking Yahoo users’ passwords and using his access to internal Yahoo systems to get at accounts, including those of his personal friends and work colleagues.

After he got into his victims’ Yahoo accounts, he’d make copies of their intimate content and stash them at home. He’d also pivot from their Yahoo accounts, branching out to break into and grope through his victims’ iCloud, Facebook, Gmail, DropBox, and other online accounts for whatever other salacious content he could find.

Yahoo saw what it thought was suspicious behavior. The Department of Justice’s press release didn’t give details of how Ruiz got wind of his former boss’s suspicions – was he confronted? Did a mass email go out, telling employees to keep their paws to themselves? – but prosecutors did say that Ruiz admitted that after Yahoo got wind of his unsavory forays, he demolished the computer and hard drive that he was using to store the ripped-off imagery.

Ruiz, 34, of Tracy, California, was indicted by a federal grand jury on 4 April 2019. He was charged with one count of computer intrusion and one count of interception of a wire communication, but under the plea agreement, he just pled guilty to the computer intrusion charge.

Ruiz is now out on a $200K bond. He’s looking at a maximum sentence of five years in prison and a fine of $250,000 plus restitution, though maximum sentences are rarely handed out. He’s scheduled to be sentenced on 3 February 2020.

Just for comparison’s sake, we can look to how much prison time the celebrity e-muggers have received as payback for prying open the iCloud and Gmail accounts of Hollywood glitterati in the Celebgate mini-series – when primary scumbags preyed on celebrities and non-celebrities alike to steal their nudes, and secondary scumbags had a field day sharing the material online.

There’s Edward Majerczyk, for one: he was sentenced to nine months in federal prison in January 2017 for hacking into more than 300 iCloud and Gmail accounts. He phished his way into their intimate photos: he crafted an elaborate phishing scam in which he sent messages doctored to look like security notices from ISPs.

Then too, there’s Ryan Collins, who was sentenced to 18 months in jail in October 2016. He used the same shtick as Majerczyk: he sent phishing emails spoofed to look like they came from Apple or Google that asked victims for account credentials.

Hmm, looks like they should both be out of jail by now. Let’s hope that they’ve learned their lesson, and, preferably, that they don’t get hired as software engineers anywhere. We don’t need to write any more stories about IT employees from hell, thank you very much.

Insider threats are real, whether we’re talking about cluelessness, avarice, malice, or lechery, as in this case and similar ones at, say, the National Security Agency (NSA) or the Minnesota police department.

How to protect against insider threats

Details are scant. We don’t know how long Ruiz was romping around with the special access afforded to a Yahoo insider, but at least at some point, Yahoo got wind of what he was doing. May all employers be on the lookout for this kind of abuse.

For help in figuring out exactly how to do that, and to help organizations defend against insiders wreaking havoc, the CERT Insider Threat Center at Carnegie Mellon University has published this Common Sense Guide to Mitigating Insider Threats.

There’s a lot involved, and this guide is regularly updated to stay on top of it all, including everything from the basics of instituting stringent access controls and monitoring policies on privileged users, to incorporating insider threat awareness into ongoing security training, to staying vigilant with regards to what employees are posting to social media.