Skip to content
Jennifer Lawrence
Naked Security Naked Security

Creep signs plea deal for celebrity nudes hack

A third man faces sentencing for the Celebgate photo thefts.

A third creep has pleaded guilty to phishing passwords for people’s Apple iCloud and Gmail accounts and then ransacking them for nude photos in the 2014 Celebgate photo thefts.

On Monday, the Chicago US Attorney’s Office said that 32-year-old Emilio Herrera, of Chicago, has signed a plea agreement and is expected to plead guilty to a felony violation of the Computer Fraud and Abuse Act (CFAA).

Herrera agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information.

It was only one count for the purpose of the plea deal, but Herrera was suspected of pawing at people’s photos a bit more persistently than that: the FBI has claimed that Herrera’s IP address was allegedly used to access about 572 unique iCloud accounts.

The IP address went after some of those accounts numerous times: in total, somebody using it allegedly tried to access 572 iCloud accounts on 3,263 occasions. Somebody at that IP address also allegedly tried to reset 1,987 unique iCloud account passwords approximately 4,980 times.

Prosecutors alleged that Herrera was particularly keen to get his hands on a neighbor’s sensitive photographs, videos and other private information: he accessed the neighbor’s Gmail account 495 times, they claimed.

According to the FBI, the original Celebgate thefts (there have been several go-rounds, showing that some thieves must think that the FBI can only catch other low-lifes) were carried out by a ring of attackers who launched phishing and password-reset scams on celebrities’ iCloud and email accounts.

One of them, Edward Majerczyk, was sentenced to nine months in jail in January 2017. He got to his victims by sending messages doctored to look like security notices from ISPs.

Another Celebgate convict, Ryan Collins, chose to make his phishing messages look like they came from Apple or Google. He got 18 months jail time in October 2016.

According to the plea agreement, Herrera ran his phishing scheme from 27 April 2013 until the end of August 2014. He too whipped up emails that looked like they were coming from the security departments of ISPs that said they needed the victims to send their usernames and passwords.

Once they responded – and hundreds did, including approximately 40 celebrities – he’d use the logins to waltz into his victims’ accounts.

Had it not been for the plea deal, Herrera would have been looking at a maximum prison sentence of 5 years in federal prison (granted, maximum sentences are rarely handed out). But according to the Los Angeles Times, the plea agreement, which was lodged on Monday in federal court in Los Angeles, shaved it down to 18 months. The case was transferred from Los Angeles to the Northern District of Illinois for the entry of Herrera’s guilty plea and sentencing.

Like the investigations into the other two men convicted in Celebgate, investigators couldn’t find evidence that Herrera was the one who leaked the photos online, shared the material or uploaded anything he’d ripped off.

Was it all for his personal viewing pleasure, then? The thrill of getting away with something valuable to somebody else? Both?

The response I assume many of his victims have: Who cares? Their privacy was treated like birdcage liner, regardless of whether a given thief shared or published their photos. Multiple thieves wanted to invade people’s privacy, and multiple thieves are now paying for it.

Mind you, there’s no saying that the investigation is over: there’s still Celebgate 2.0 and 3.0 to keep the FBI busy.

We’ll keep reporting on the convictions, and hopefully we’ll all take this chance to renew our caution with regards to protecting our login credentials. To get those credentials, crooks break into a target’s iCloud and/or Gmail accounts by phishing, be it by email, text message or iMessage.

All of which points to how scams that seem as old as the hills – like phishing – are still very much a viable threat.

Granted, it can be tough to tell the difference between legitimate and illegitimate messages.

So here are some ways to keep your private images from winding up in the thieves’ sweaty palms:

  • Don’t click on links in emails and thus get your login credentials phished away. If you really think your ISP, for example, is trying to contact you get in touch by typing in the URL for its website and contacting it via a phone number or contact form you find there.
  • Lock down privacy settings on social media (here’s how to do it on Facebook, for example), don’t share photos with people you don’t know and trust, and be careful of who you consider your “friends”. One example of creeps posing as friends can be found on the creepshot sharing site Anon-IB, where users have posted images they say they took from Instagram feeds of “a friend”.
  • Use multifactor authentication (MFA) whenever possible. MFA means you need a one-time login code, as well as your username and password, every time you log in. That’s one more thing the scumbags need to figure out every time they try to phish you.
  • Use strong passwords.


What are the image rights and ethical considerations behind continuing to use the picture of one celebrity who got innocently caught up in this crime?


Image rights belong to the photographer, not the subject. In this case the photographer made the photograph available via Shutterstock. Our terms of use with Shutterstock mean that we do not need to add attribution to our articles.

In the photograph Jennifer Lawrence is shown at the red carpet ceremony for the film Mother! It’s reasonable to assume that she attended that event knowing that she’d be photographed.

Our remit is to provide news, opinion, advice and research. This article contains news and advice. We use headlines, short summaries and photos to communicate to readers via a limited space on Google, Facebook, Twitter and our home page what a story is about.

Unfortunately Ms Lawrence is inescapably linked to the story as its most high profile victim. Using her photo is an aid to readers, just like using her name in a headline would be, to understand what they’ll be reading about if they click through to the article.

This story is the latest in a long line of stories we’ve run outlining this crime and the punishment of those we perpetrated it. At each step we have expressed sympathy with the victims and disgust with the criminals. Our position on this is absolutely clear.

We use stories like this to explain to readers that these kind of crimes exist, what sort of punishment you can expect if you commit one, and as a vehicle to deliver advice that readers can use to protect themselves, to make crimes like this harder for criminals to carry out.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!