Hacker used password resets to break into 1,050 university email accounts

How hard is it to break into the email accounts used by staff and students at US universities?

Based on the unsettling details of a case made public by the US Department of Justice (DOJ), in some cases not as hard as it should be.

According to an FBI indictment announcing his arrest last week, 29-year old Jonathan Powell allegedly hacked more than 1,000 email accounts at two US universities by doing nothing more sophisticated than exploiting weaknesses in how passwords are reset.

Powell targeted 75 US institutions all told, but his campaigns against Pace University in New York and an unnamed university in Pennsylvania were almost industrial in scale.

Between October 2015 and September this year, logs showed that he’d tried to change the passwords for 2,054 different email accounts at Pace University a total of 18,600 times.

Some of the time he failed but he did eventually break into 1,035 accounts, a few of which were reset more than once.

He found the going tougher at the Pennsylvania institution but still compromised 15 accounts from 220 targeted.

Once in control of the accounts, Powell is alleged to have launched password reset attacks on other services used by the accounts holders, including Apple iCloud, Facebook, Google, LinkedIn, and Yahoo!

According to Manhattan Attorney Preet Bharara:

This case should serve as a wake-up call for universities and educational institutions around the country. Powell used password reset tools to basically pick the lock of thousands of personal spaces and look around at what was stored there.

Audacious attacks by lone hackers usually boil down to two issues: how did they do it (and could someone else replicate the same attack) and why did they do it?

The why bit is difficult to answer in advance of any trial, but the DOJ said he’d trawled a compromised Gmail account for digital pictures and the words “password”, “naked”, “cum” and “horny”, which points to personal rather than professional interests.

The indictment doesn’t explain the how but but the most likely reason is a failure to enforce strong passwords.

If the password is short or too obvious, all an attacker has to do is initiate a password reset using some guessing strategy and a user ID. That might explain why in the case of the Pace University attack Powell took more than 18,000 tries against 2,000 or so accounts and ended up compromising around 1,000.

That’s a 50 percent success rate over a 12-month period which also implies that there was no guess limit.

While it’s true that email users shouldn’t set weak passwords, the best way to avoid this is by making length and complexity a requirement during enrollment.

Email administrators at universities across the world will doubtless be scrambling to double-check their own reset procedures and left pondering whether the time has come to start using two-step verification security.

Powell has been charged with one count of fraud which carries a maximum sentence of five years in prison.