The U.S. Department of Justice has issued charges against another individual in the September 2014 hack of Apple iCloud and Google Gmail accounts owned by Hollywood celebrities.
In a statement issued July 1, the DOJ named 28-year-old Edward Majerczyk as one of the hackers involved in the so-called “Celebgate” breach, gaining unauthorized access to more than 300 Apple iCloud and Gmail accounts. The DOJ stated that Majerczyk signed a plea agreement, issuing a guilty plea on the charge of a felony violation of the Computer Fraud and Abuse Act (CFAA) on one count of unauthorized access to a protected computer to obtain information.
According to the plea agreement, Majerczyk executed a phishing campaign to trick users into giving up their usernames and passwords from Nov. 23, 2013, until August 2014. Once Majerczyk obtained the usernames and passwords, he was able to gain access to private pictures and videos located in the victims’ accounts.
News of the Celebgate hacks first publicly emerged in September 2014.
“Hacking of online accounts to steal personal information is not merely an intrusion of an individual’s privacy but is a serious violation of federal law,” United States Attorney Eileen M. Decker said in a statement.
Majerczyk isn’t the first individual to be charged in connection with the Celebgate hacks. In March, the DOJ announced that it had charged 36-year-old Ryan Collins for his actions in the Celebgate hack. The DOJ claimed that Collins had gained access to at least 50 iCloud and Gmail accounts. In contrast, Majerczyk was able to gain access to more than 300 Apple iCloud and Gmail accounts.
Security experts contacted by eWEEK were not surprised that an additional hacker has been found and charged in connection with the Celebgate hack.
“During digital investigations it’s really common to find more than one actor on breached systems,” Marcus Carey, CTO and founder of vThreat, told eWEEK.
It’s possible that even more people could be involved in Celebgate. Carey said it is common for people to share details of how they were able to hack things. He said he wouldn’t be surprised if multiple people posted details on Internet forums or discovered the hack independently.
There is also the possibility that the Celebgate attack was an organized effort by a group of people.
“We often observe cyber-criminal working in groups, so it is absolutely foreseeable that there could be more individuals involved in this crime,” Rob Sadowski, director of Technology Solutions at RSA, the security division of EMC, told eWEEK.
While the Celebgate hack didn’t involve an application code vulnerability, the attackers were able to exploit a number of human and technical weaknesses to trick users. According to Ann Barron-DiCamillo, CTO of Strategic Cyber Ventures, user education is an important element in mitigating security risks. In Majerczyk’s plea, he admits to tricking users by appearing to be an Internet service provider (ISP) asking users to log into a fake page. Barron-DiCamillo said most ISPs don’t send emails requesting users to click a link to update their username/password.
“Username and passwords are too easily compromised via this method or others,” Barron-DiCamillo told eWEEK. “If multifactor authentication was used, this attack would not have been successful.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.