Skip to content
Naked Security Naked Security

Former high school teacher pleads guilty to hacking celebrities

A fifth man has pleaded guilty to federal charges of phishing celebrities' and non-celebrities logins and raiding their iCloud accounts for nude photos.

A fifth person has pleaded guilty to federal charges of phishing logins and raiding iCloud accounts for nude photos in the 2014 Celebgate thievery blitz.
This one is a former high school teacher who picked on fellow teachers and students.
The US Attorney’s office in the Eastern District of Virginia announced on Monday that 31-year-old Christopher Brannan has pleaded guilty to getting his mitts on the complete iCloud backups, photographs, and other private information of more than 200 victims, including both celebrities and non-celebrities.
According to court records, those non-celebrities included his sister-in-law – who was a minor at the time – as well as current and former teachers and students at Lee-Davis High School, where Brannan taught special education until 2015.
Brannan used the same scams as that of the other Celebgate crooks who’ve pleaded guilty: He’d research social media accounts to glean answers to security questions – yet another reason why we should lock down access to our public profiles. Once he had that information, he’d use it to get unauthorized access to victims’ email accounts.


He also phished victims’ account usernames and passwords by sending them messages from email addresses spoofed to look like they were coming from Apple security.
Then, Brannan would break into victims’ email accounts to get at private photos and videos. He’d use software such as Elcomsoft in order to download entire iCloud account contents.
He and others would swap the account credentials online. On at least one occasion, he worked with another crook to hack into a victim’s account.
Brannan pleaded guilty to unauthorized access to a protected computer and aggravated identity theft. He’ll spend a minimum of two years in prison for the aggravated identity theft charge. The total maximum time he could spend in jail is seven years, though maximum sentences aren’t typically handed down. Both his lawyers and prosecutors are recommending he get 34 months when he’s sentenced on 25 January 2019.
Besides Brannan, the Celebgate Hall of Infamy includes these previously convicted thieves:

  • George Garofano, 26, sentenced in August to eight months in jail and three years of supervised release for phishing credentials out of celebrities and non-celebrities alike, then breaking into about 240 iCloud accounts to steal personal images that he spread far and wide on the internet.
  • Edward Majerczyk, 29, who pleaded guilty in September 2017 to prying open more than 300 iCloud and Gmail accounts – at least 30 of them belonging to Hollywood glitterati – and ripping off his victims’ sensitive and private photographs and videos.
  • Ryan Collins, 36, who was sentenced to 18 months in jail in October 2016.
  • Emilio Herrera, 33, of Chicago, is serving 16 months. The FBI associated his IP address with accessing about 572 unique iCloud accounts.

Keep your social media private

Facebook for one has revamped its security and privacy settings for users following the Cambridge Analytica scandal this year.

And on Twitter and Instagram, everything you post is public by default, unless you choose to lock your profiles down, so just be mindful of what personal details you’re posting there. Tagging your high school, mother, or raving about the latest superhero movie could be exposing likely answers to password-recovery security questions.
Both Twitter and Instagram do offer you the option of keeping your profile private so it’s worth considering that too.
It’s a good idea to install two-factor authentication (2FA) on all your social media, email and cloud storage accounts too – whether you’re a celebrity or not. With 2FA, these crooks would have found it much harder to access personal photos, videos and emails.


2 Comments

IMO, asking this and the next generation to keep their social profiles private is advice that not only falls on deaf ears but is completely misunderstood at a basic level – it would be equivalent to asking my generation to not watch MTV, use a walkman or hang out at the mall – it IS the way life is for this generation – it IS how they socialize, group, in a very real sense; how they “exist”. To making something “social” be “un”-social makes no sense. I would say a better thing to tell people (whether they use SM or not) is to not answer those questions honestly – and to ask providers to not ask for those questions. The idea of having secret questions is not two factor auth; nor, in most cases, is it stored securely. Many systems do no encrypt that information so when a hacker gets a db, they also get those Q&A’s in clear text…

That last part was not a thing I had thought of…
But yeah the way security questions work is long overdue for an overhaul – children with no training or practice have exploited them since many questions have predictable answers.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?