Man who hacked Scarlett Johansson’s email gets a whopping ten years in prison

The crook who cracked into the email of numerous celebrities, including Scarlett Johansson and Mila Kunis, has been sent to prison.

A federal judge in Los Angeles, California, sentenced 36-year-old Christopher Chaney, of Florida, USA, yesterday.

Although Chaney had already pleaded guilty, thus sparing the expense and complexity of a trial, and although the prosecution had apparently asked for a sentence of just under six years, Judge Otero hit Chaney with a mammoth ten year stretch.

One report suggests Chaney drew an over-the-odds sentence because he continued his cracking activities even after he knew he was under investigation and his computer had been seized.

As we wrote earlier this year, Chaney’s modus operandi seems to have been to use the ‘forgot password’ feature on his victim’s email accounts.

He’d then use publicly accessible information – the sort of stuff many of us share in bits and pieces on social networking sites – to answer his victims’ security questions and finish off the password reset.

Having got hold of the new passwords and illegally accessed the accounts, Chaney would activate the ‘forward a copy of incoming mail’ option. This means he could continue to harvest his victims’ private emails, even if they changed their passwords back.

Chaney stole nude photos, lurid text messages and emails. Many of these were then shared with two online celebrity gossip sites.

Interestingly, although Chaney drew a harsh penalty, we haven’t heard of anything happening to the gossip sites that willingly went public with the stolen material.

The story might have been different had the gossip-mag journalists been in Australia.

Sydney-based journalist Ben Grubb, for example, was briefly arrested in Queensland, Australia, in 2011, and had his iPad confiscated, after he published a supposedly private Facebook photograph that he had acquired from a security researcher.

The researcher had apparently got hold of the photo – a privacy-protected picture of a rival’s wife – as a “proof of concept” for a conference talk about a security flaw in Facebook’s privacy system.

The researcher couldn’t resist sharing the photo with Grubb, who couldn’t resist publishing it online (albeit blurred).

Ben Grubb in hot water

In the end, Grubb wasn’t charged, quickly got his iPad back, and was vindicated – at least in the public’s eyes – by strong criticism of his arrest.

But Queensland police obviously felt strongly enough to go after Grubb under a Queensland law dating back to 1889, which dispassionately observes that “a person who receives tainted property, and has reason to believe it is tainted property, commits a crime.”

And there are two important lessons in that:

• Don’t put tainted property online, especially if it affects the privacy of others.

It’s easy to say, “But the information’s out there now, so the crime of getting it in the first place is already done.”

Have some concern and respect for the privacy of others. The way data breaches seem to be going, you may very well need the same sort of concern and respect in return some time soon.

• Review all your account settings if you think you’ve been hacked.

After a malware attack, an unexpected password change, or anything else which suggests that someone else has been riffling around in your digital stuff, be sure to check your configuration settings.

Be on the alert for changes which might let the crooks carry on their dirty work even after your initial cleanup.

Crooks can add new accounts to your PC, set email forwarding options (like Chaney did), change firewall settings, install remote access software, and much more. If you are unsure what to look for, ask someone you know and trust for help.

Image of hands courtesy of Shutterstock.