According to the U.S. Attorney’s Office for the Northern District of Alabama, a former Shelby County resident agreed to plead guilty to hacking email and file storage accounts of 50 women. Authorities kept the plea-agreement sealed but still revealed some case details. Roger C. Stanton the FBI Special Agent in Charge, explained that the defendant, Kevin Maldonado, phished the Gmail account passwords of 50 women, if not more. He used the details to access cloud storage where he hunted explicit photographs for personal use.
Between 2013 and June 2015, Maldonado used various methods to obtain passwords from 50 or more victims. Roger C. Stanton said “at least 50 women,” but never clarified if the defendant hacked additional accounts following the original incident. Officials opted to keep some court documents sealed based on the nature of the hacked data. Law enforcement, in the released court documents, only identified the victims through initials (presumably their own initials). The press release referenced only one victim and she shared Maldonado’s initials: K. M.
Acting U.S. Attorney Robert O. Posey announced that Maldonado used common phishing practices to hack most of the women. The most common, he said, involved faked Gmail “administrator” accounts. He also used social engineering tactics to obtain access to the accounts. He started with bits and pieces of data that he found on the web and used those to get more data until he knew enough about his target to reset her password. Sometimes he only needed small amounts of publicly available information to reset the security questions.
Weak security questions are common; so many websites share similar flaws and then find themselves on the news for a massive hack or breach. Look at the medical facilities TheDarkOverlord hacked; they used outdated practices or failed to change default credentials for a critical program. If medical practices used poor security measures, the average citizen used for worse. Posey agreed:
“Predators use the internet to target innocent victims. We continue to work with our law enforcement partners to track and prosecute online criminals, but anyone who has an e-mail or other online account should protect themselves by protecting their login and password information. Don’t share it with friends or acquaintances or respond to unsolicited requests for that, or other personal information.”
Court documents revealed that many of the women knew Maldonado in real life. However, in the majority of thefts, the women reported that they never knew Maldonado and had no apparent connection to him. Stanton added another security tip:
“This case is a good reminder for all of us to maintain good computer security practices. Always be cautious of unsolicited telephone calls, e-mails and text messages, especially those asking you to supply account information. If you feel you have been a victim of a computer crime, please report it to the FBI’s Internet Crime Complaint center, www.IC3.gov.”
The hacker used one woman’s account to email her contacts and subsequently exploited them. Police discovered that he categorized each set of photos or videos by person and level of nudity. He stored sex-tapes the same way, authorities announced.
Officials did not disclose the contents of the plea agreement but unauthorized computer access carries a maximum sentence of five years in prison. Although, the very point of a plea deal is based on pushing a guilty plea through the system as quickly as possible. And to do that, the deal needs to offer some incentive for the defendant. Unless the undisclosed documents contain something unexpected, Maldonado will not serve five years in prison. A five-year sentence, suspended upon certain conditions is a common agreement in a case with a 5-year maximum.