Note: We have updated and republished this post, originally published on March 16, in light of the news that Ryan Collins pleaded guilty to a felony violation of the Computer Fraud and Abuse Act on Tuesday.
After a ton of speculation about how “celebgate,” one of the biggest celebrity hacks in recent memory happened, it appears that the answer is relatively simple. The man who pled guilty to stealing private, nude photographs of celebrities used an email phishing scheme to access more than a hundred personal accounts.
Ryan Collins, a 36-year-old Pennsylvania man, was charged in March with a computer hacking felony for his part in the theft of hundreds of nude photos of female celebrities in 2014, which were then posted online in an event known as “Celebgate.” Collins pled guilty to a felony count of unauthorized access to a protected computer to obtain information in May, a charge that carries a maximum of 5 years in jail and a $250,000 fine.
Based on what we know from the plea agreement and prosecutors, it appears that one major part of Celebgate is much less elaborate than what some 4chan users claimed at the time: that many of the photos were stolen through a clever exploitation of a previously unknown iCloud security flaw — a claim that Apple had denied.
Instead, Collins used a method of gaining access to password-protected accounts that can victimize pretty much anyone. Phishing schemes come in a lot of different flavors, but all follow the same basic outline: Users are tricked into giving out sensitive information by malicious email accounts or websites that appear legitimate. Spear phishing, which appears to be what happened here, involves targeting specific users by impersonating businesses or individuals they might already know.
Although the information these emails request — usernames and passwords, personal data, financial information — are things that a legitimate company would never ask its users to provide in an email, the scammers are hoping that if their target believes they can trust the source of the request, they might be more likely to comply.
Phishing attempts like the one now connected to Celebgate are more or less a constant threat for anyone on the Internet. Even if you’ve never actually taken a nude selfie using a digital device, there’s probably something else stored in your digital life that you’d rather not share with the whole world — and there’s someone out there who would like to access it.
According to court filings, Collins stole photos, videos and sometimes entire iPhone backups from at least 50 iCloud accounts and 72 Gmail accounts, “mostly belonging to celebrities,” between November 2012 and September 2014, when the photos were posted online. The U.S. attorney’s office in the Central District of California has confirmed that Collins was charged as a result of a federal investigation into Celebgate, although court documents and statements pertaining to his plea deal do not name any of his famous victims.
Jennifer Lawrence, Kate Upton, Kirsten Dunst, Avril Lavigne, Lea Michele, McKayla Maroney and Ariana Grande were among the celebrities whose photos were said to be in the Celebgate dump. Some, like Lawrence, Upton and Dunst, confirmed that the photos were genuine.
Collins allegedly gained access by setting up emails designed to look like official accounts associated with the Google or Apple services used by his celebrity targets. Some of the emails he used included “email@example.com,” “firstname.lastname@example.org,” and “email@example.com,” according to court documents. Then, it seems that whoever was managing the personal accounts of several of the targeted celebrities complied, replying to those messages with the requested access information: the usernames and passwords for their accounts.
Once he had that information, Collins also had access to everything stored within. He took photos and videos, and sometimes used “a software program to download the entire contents of the victims’ Apple iCloud backups,” the U.S. attorney’s office said.
David Bowdich, assistant director in charge of the FBI’s Los Angeles Field Office, released a statement urging everyone to take precautions against schemes like the one linked to Collins. “We continue to see both celebrities and victims from all walks of life suffer the consequences of this crime and strongly encourage users of Internet-connected devices to strengthen passwords and to be skeptical when replying to emails asking for personal information,” he said.
But there’s more you can do, particularly on the specific services named in this case: Both iCloud and Gmail allow users to turn on two-factor authentication, which adds an additional step to logging on to an account. Instead of just a username and password (which, by the way, should be different for each account), an account with two-factor enabled also requires a unique code, sent to the user’s phone at the time of login. More and more services are starting to enable two-factor security measures. Turn it on if it’s available.
We still know very little about how the photos went from people like Collins to the whole Internet. At the time, 4Chan users were talking about a secret, very creepy-sounding underground ring that connected the people who hacked celebrity accounts with those who wanted to sell or collect them. The U.S. attorney’s office said investigators had “not uncovered any evidence linking Collins to the actual leaks or that Collins shared or uploaded the information he obtained.”
It seems unlikely that investigators believe Collins is the sole source of the photos in the Celebgate cache. Gawker reported in January that two Chicago homes were raided in connection with the Celebgate investigation. In both cases, according to court documents obtained by Gawker, investigators believed that the individuals in question had also used phishing schemes to target the iCloud accounts of celebrities connected to the stolen photo cache. The district attorney’s office told Gawker on Tuesday that the Chicago raids and the charge against Collins were “directly related.”
Collins is the first to be charged in connection with the FBI’s investigation. As part of a plea deal, prosecutors said in March that they will recommend an 18-month prison sentence