The disturbingly simple way dozens of celebrities had their nude photos stolen

In the summer of 2014, stolen nude photos of Jennifer Lawrence, Kate Upton, and other celebrities flooded the internet. The media called it “Celebgate” while those who gleefully downloaded the photos called it “the Fappening.” Nearly two years later, the feds have announced that they have busted the man responsible for stealing the photos. He pleaded guilty to hacking today, according to the Department of Justice:

A Pennsylvania man was charged today with felony computer hacking related to a phishing scheme that gave him illegal access to over 100 Apple and Google e-mail accounts, including those belonging to members of the entertainment industry in Los Angeles.

Ryan Collins, 36, of Lancaster, Pennsylvania, has signed a plea agreement and agreed to plead guilty to a felony violation of the Computer Fraud and Abuse Act. In the plea agreement also filed today, Collins agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information.

According to court documents, Collins gained access to the intimate images of nude celebrities via a disturbingly simple technique: phishing.

Though many people assumed that the hacker took advantage of an iCloud vulnerability to brute-force his way into the celebrities’ accounts, the government makes no mention of that. Instead, it says that Collins hacked over 100 people by sending emails that looked like they came from Apple and Google, such as “[email protected],” “[email protected],” and “[email protected].” According to the government, Collins asked for his victims’ iCloud or Gmail usernames and passwords and “because of the victims’ belief that the email had come from their [Internet Service Providers], numerous victims responded by giving [them].”

Celebrities really need better computer security advisers. If a dedicated enough attacker comes at you, it’s hard to avoid being compromised, but it helps immensely to turn on two-factor authentication for your online accounts. That way a person needs not just your password but a code sent to your phone to get into your account.

Once Collins had their credentials, says the government, he went through their email accounts looking for nude photos and videos. The government says that Collins got into approximately 50 iCloud accounts and 72 Gmail accounts this way, most of them belonging to celebrities. He “accessed full Apple iCloud backups belonging to numerous victims, including at least 18 celebrities” and “used a software program to download those full Apple iCloud backups.”

Ironically, that program was likely one that’s used by law enforcement to get evidence from phones.

One thing that the feds note in their press release is that investigators “have not uncovered any evidence linking Collins to the actual leaks or that Collins shared or uploaded the information he obtained.” So it’s possible that other parties were responsible for the actual leaking of those nudes onto the internet. In the fall, the feds raided two homes in Chicago as part of the “Celebgate” investigation, with court documents showing that the people who lived there appeared to have logged into hundreds of iCloud accounts.

So there’s more to come on the Fappening front.