Man jailed for stealing images and details from more than 50 women

Consider Kevin M Maldonado: he’s the reason to limit the personal information you put online, and he’s the reason why your password shouldn’t be your anniversary or your cat’s name.

The 35-year-old man from the US state of Alabama has been sentenced to six months in federal prison and three years of supervised release after he pleaded guilty to spending two years hacking and tormenting at least 50 women.

The total number of victims can’t be ascertained, since all we know about for sure are the 50 he managed to steal from. We have no idea how many accounts he targeted and/or broke into but didn’t manage to steal sexual content from.

Some of them he knew. Some of them he didn’t. Some were arbitrarily plucked from online. From the sentencing memorandum:

He targeted women he knew and women he did not; women he had been romantically involved with and women he merely interacted with briefly; women with whom he had a connection, like a shared military history or high school and women who he found on the internet; and women who lived or worked near him in Shelby County, Alabama, and others who lived across the country and he was unlikely to ever see. The only thing that the defendant’s victims had in common was the defendant’s desire to delve into the details of their lives for his own pleasure.

Sure, he was after their nude photos and videos. But you can get better quality porn online than what he stole. It wasn’t so much the images he was after, it seems; rather, it appears that he was motivated mostly by a compulsive need to violate others’ privacy, the sentencing memorandum suggested:

…as many others as he could.

According to the US Attorney’s office in the Northern District of Alabama, Maldonado spent “countless” hours cyberstalking his victims, as he researched their personal information online, looking for hints to what they might have used as passwords for their accounts.

The defendant spent countless hours creating numerous fictitious email accounts impersonating email administrators from multiple email providers; sending numerous emails from these accounts demanding login and password information; and then frequently checking the fictitious email accounts for response emails from victims.

The defendant also spent untold hours trolling the accounts he accessed via phishing for additional password information and conducting extensive open source research, for example on websites such as, on potential victims and making note of information about them including birth dates, places of employment, collegiate affiliations, etc. He then used this information to try to guess victims’ passwords, or answer the security questions necessary to re-set them.

Resetting passwords didn’t always work to fight off this guy. Sometimes, he’d reset victims’ passwords multiple times so he could keep stealing women’s personal data from multiple platforms, including their web-based email accounts, iCloud and Dropbox.

Maldonado wasn’t satisfied with sexual content, mind you. He also downloaded innocent images that allowed the thief to pry into his victims’ personal lives, such as photos of kids, pets, family parties and nights on the town. He also turned his victims into accomplices, capturing their contacts so he could troll and stalk them, too. He went so far as to impersonate a victim so he could ask one of her contacts to send sexual images to him.

You can think of Maldonado as a librarian of creepiness. After he broke into women’s accounts and stole their data – including personal identifying information (PII) and personal photographs and videos, some of which were images of them nude, partially nude, or engaged in sexual activity – he catalogued the data by victim or group and saved it to an external hard drive for easy access.

In February, Maldonado pleaded guilty to one count of intentionally accessing the Gmail account of a victim identified by the initials KM in order to access her documents and images without her permission and to thereby invade her privacy. The plea deal let him off the hook for other crimes, including aggravated identity theft. He starts his jail sentence on July 17.

How to avoid phishers, cyberstalkers and thieves

Maldonado did his dirty work by guessing at, and/or phishing, victims’ passwords and security questions. We leave ourselves vulnerable to such low-tech attacks by leaving our personal information strewn around the web, be it by advertising our birthdays on Facebook, publicly posting the names and relationships of our children and family, or any other number of ways we expose our PII.

All that PII can be used to guess at answers to security questions that are supposed to be protecting our accounts, not putting down a welcome mat for hackers to waltz in. “Protecting” our accounts with passwords that are easy to guess is another welcome mat: at one point, Google Apps did a survey that found that the top 10 most common passwords were our pets’ names.

Lists of the top worst passwords come out as often as spring rain, but they tend to have much in common, and often it’s our PII. For example, after pets’ names, the other worst passwords off that Google Apps survey were:

  • Significant dates (such as a wedding anniversary)
  • Date of birth of close relation
  • Child’s name
  • Other family member’s name
  • Place of birth
  • Favorite holiday
  • Something related to favorite football team
  • Current partner’s name
  • The word “Password”

We could make it much tougher for creeps like Maldonado to crack open our accounts if we stopped cooking up passwords that are entirely-super-easily-guessable-by-anybody-on-the-planet. Some steps to protect ourselves with tougher passwords and other cyber security safeguards:

  • Check out the tips we’ve passed along on how to check that you’re not giving away information that can be used against you in a cyber attack.
  • Choose more complicated passwords. We’ve got a short video on how to pick a proper password; see below.
  • Always log out of services. Don’t walk away from your computer before you’ve logged out of email, for example.
  • Consider using two-factor authentication whenever it’s available.
  • Need to provide an answer to a security question? Lie your brains out. Manufacture pure gunk. Just make sure to track the nonsense you entered in case you need to reset your password. You might want to track your made-up security question answers in a password manager, for example.
  • Consider also using a password manager to concoct and to store passwords that are tough to crack. First educate yourself about the risks, though: we’ve seen multiple issues arise with password managers, including this zero day in LastPass, more holes that cropped up in April, and yet another hole at the end of March.
  • Locking down Facebook is a thing unto itself. To maintain privacy, you need to use privacy controls, but research has shown that millions of Facebook users are oblivious to, or just don’t use, privacy controls.

With that last one in mind, here are a few more Facebook-specific tips:

  • Don’t be one of the legions of privacy-control oblivious. Know how to use Facebook’s privacy controls. While you’re at it, don’t let your friends or family fall into that category. To see who can find the things you’ve shared, you can use privacy shortcuts and Activity Log to review your personal trail of glory and misdeeds. Go to Facebook’s Activity Log page for a list of your posts and activity, from today back to the dawn of your Facebook life. There, you can find stories and photos you’ve been tagged in, Pages you’ve liked, friends you’ve added, your photos, and photos you’re tagged in that are shared with Public.
  • Besides photos we’re tagged in without our permission, most of the stuff that’s in our Graphs is up because we put it there. To further clean up our Facebook personae, we can always remove a tag from a photo or post we’re tagged in. As Facebook outlines here, you do that by hovering over the story, then clicking and selecting Report/Remove Tag from the drop-down menu. Then, remove the tag or ask the person who posted it to take it down.
  • To further lock down your profile, take a gander at these three ways to better secure your Facebook account.
  • Don’t fall for phishing emails from creeps like Maldonado or his ilk, including those who hacked nude photos out of celebs in Celebgate. Check out our tips on how to avoid falling for phishing and spear-phishing.


(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)