Former high school teacher pleads guilty to hacking celebrities

A fifth person has pleaded guilty to federal charges of phishing logins and raiding iCloud accounts for nude photos in the 2014 Celebgate thievery blitz.

This one is a former high school teacher who picked on fellow teachers and students.

The US Attorney’s office in the Eastern District of Virginia announced on Monday that 31-year-old Christopher Brannan has pleaded guilty to getting his mitts on the complete iCloud backups, photographs, and other private information of more than 200 victims, including both celebrities and non-celebrities.

According to court records, those non-celebrities included his sister-in-law – who was a minor at the time – as well as current and former teachers and students at Lee-Davis High School, where Brannan taught special education until 2015.

Brannan used the same scams as that of the other Celebgate crooks who’ve pleaded guilty: He’d research social media accounts to glean answers to security questions – yet another reason why we should lock down access to our public profiles. Once he had that information, he’d use it to get unauthorized access to victims’ email accounts.

He also phished victims’ account usernames and passwords by sending them messages from email addresses spoofed to look like they were coming from Apple security.

Then, Brannan would break into victims’ email accounts to get at private photos and videos. He’d use software such as Elcomsoft in order to download entire iCloud account contents.

He and others would swap the account credentials online. On at least one occasion, he worked with another crook to hack into a victim’s account.

Brannan pleaded guilty to unauthorized access to a protected computer and aggravated identity theft. He’ll spend a minimum of two years in prison for the aggravated identity theft charge. The total maximum time he could spend in jail is seven years, though maximum sentences aren’t typically handed down. Both his lawyers and prosecutors are recommending he get 34 months when he’s sentenced on 25 January 2019.

Besides Brannan, the Celebgate Hall of Infamy includes these previously convicted thieves:

  • George Garofano, 26, sentenced in August to eight months in jail and three years of supervised release for phishing credentials out of celebrities and non-celebrities alike, then breaking into about 240 iCloud accounts to steal personal images that he spread far and wide on the internet.
  • Edward Majerczyk, 29, who pleaded guilty in September 2017 to prying open more than 300 iCloud and Gmail accounts – at least 30 of them belonging to Hollywood glitterati – and ripping off his victims’ sensitive and private photographs and videos.
  • Ryan Collins, 36, who was sentenced to 18 months in jail in October 2016.
  • Emilio Herrera, 33, of Chicago, is serving 16 months. The FBI associated his IP address with accessing about 572 unique iCloud accounts.

Keep your social media private

Facebook for one has revamped its security and privacy settings for users following the Cambridge Analytica scandal this year.

And on Twitter and Instagram, everything you post is public by default, unless you choose to lock your profiles down, so just be mindful of what personal details you’re posting there. Tagging your high school, mother, or raving about the latest superhero movie could be exposing likely answers to password-recovery security questions.

Both Twitter and Instagram do offer you the option of keeping your profile private so it’s worth considering that too.

It’s a good idea to install two-factor authentication (2FA) on all your social media, email and cloud storage accounts too – whether you’re a celebrity or not. With 2FA, these crooks would have found it much harder to access personal photos, videos and emails.