George Garofano, 26, one of many pickpockets to rifle through the online accounts of Hollywood stars, on Wednesday was sentenced to eight months in jail and three years of supervised release for phishing credentials out of celebrities and non-celebrities alike, then breaking into about 240 iCloud accounts to steal personal images that he spread far and wide on the internet.
According to a press release from the US Attorney for the District of Connecticut, Garofano pleaded guilty to one count of unauthorized access to a protected computer to obtain information on 11 April, 2018.
At the time of his guilty plea, Garofano admitted to sending emails to the victims under the guise of being a member of Apple’s online security personnel in order to obtain their usernames and passwords.
The charges stemmed from a wave of attacks on the accounts of mostly female celebrities that started in 2014.
Known as Celebgate, that first wave involved intimate images being swiped of stars such as Winona Ryder, Hulk Hogan’s son, Nina Dobrev, AnnaLynne McCord, Victoria’s Secret model Erin Heatherton, Jennifer Lawrence, Kate Upton, Kirsten Dunst, Selena Gomez, Kim Kardashian, Vanessa Hudgens, Lea Michele and Hillary Duff, among others.
We’ve seen multiple men convicted and given jail time over prying open the Gmail and iCloud accounts of the Hollywood glitterati, but that sure didn’t stop Celebgate 2.0: in May 2017, we saw the intimate photos of Emma Watson and Amanda Seyfried stolen and posted.
The stolen images were disseminated online in places such as Reddit and Celebrity Jihad.
A few months later, Celebgate 3.0 swept up personal images of Miley Cyrus, Stella Maxwell, Kristen Stewart, Tiger Woods, Lindsey Vonn and Katharine McPhee.
Edward Majerczyk, one of the earlier thieves to be convicted and jailed, hit up his victims with a phishing scam in which he sent messages doctored to look like security notices from ISPs.
The phishing messages led victims to a website that harvested their usernames and the passwords for their Google or iCloud accounts. With the credentials in hand, Majerczyk was free to romp through victims’ accounts and grab whatever photos and videos he could find.
Both Majerczyk and Collins pulled the same shtick: sending phishing emails spoofed to look like they came from Apple or Google and which asked victims for account credentials.
We never heard the details of how they constructed the phishing emails, but the hacking of the 2016 US presidential election did bring us a fascinating dissection of how hackers used Bitly shortened links in phishing attacks to trick Democratic National Committee officials into handing over their own Gmail credentials.
In another investigation sparked by Celebgate, the US government seized a Chicago man’s computers in June 2015.
None of those cases, apparently, are related to yet another celebrity hacking prosecution: that of Alonzo Knowles’ guilty plea in New York for stealing new screenplays and sex videos from celebrities, nor of the felony hacking conviction of Andrew Helton in Oregon for similar hacking of celebrity-owned Apple and Google accounts.
In other words, Garofano is just the latest in a long string of busted, soon to be imprisoned celebrity hackers. Investigators sure don’t seem to be tired of chasing them down, though.
All the better for the people they’ve victimized.
One of those victims, Jennifer Lawrence, said at the time of her 2014 targeting that the theft and publication of nude photos of her was a “sex crime”.
Prosecutors were looking for a sentence of 10 to 16 months in prison, in line with federal guidelines. Garofano’s lawyers asked for leniency, requesting no more than five months in prison and another five months of home confinement.
What the prosecution said in its sentencing memo:
Mr Garofano’s offense was a serious one. He illegally hacked into his victims’ online accounts, invaded their privacy, and stole their personal information, including private and intimate photos. He did not engage in this conduct on just one occasion. He engaged in this conduct 240 times over the course of 18 months.
Not only did Mr Garofano keep for himself the photographs he stole, he disseminated them to other individuals. He may have also sold them to others to earn ‘extra income’.
In committing this offense, Mr Garofano acted in complete and utter disregard for the impact on his victims’ lives.
Garofano claims to have “already suffered” because of the actions he took beginning when he was in college. From his defense attorney Richard Lynch:
He now stands before the court having matured, accepting responsibility for his actions and having not been in trouble with the law since. There is nothing to suggest that he would ever engage in this or any other criminal conduct in the future.
The judge ordered Garofano to perform 60 hours of community service during his three years of supervised release.
What to do?
We recommend that you enable two-factor authentication (2FA), also known as two-step verification (2SV), for any account that supports it.
Sure, it’s slightly less convenient – when you login using 2FA you need to enter your username and password as usual, and then to enter a a one-time code as well.
To get the code, you usually either need to launch a special app on your phone, or wait a couple of seconds for a text message to arrive.
But the one-time code, as its name suggests, is different every time you log in, so crooks who phish your username and password no longer have enough information to take over your account.