Feds charge Arizona man with using password scheme to hack 1,050 college students

An Arizona man used his work computer to hack into the personal internet accounts of more than 1,000 students at various colleges across the country, federal prosecutors said this week.

Jonathan Powell, 29, was arrested Wednesday in Phoenix and charged with one count of computer fraud related to a scheme he allegedly used during a 13-month hacking spree.

Federal investigators said Mr. Powell was able to breach 1,050 unique email accounts from students of two different colleges by using a password reset featured designed to let legitimate users regain access in the event they’ve forgotten their credentials.

Beginning in August, several students of Pace University in New York City complained that their email passwords had been abruptly changed without their permission, according to court documents.

Investigators later determined that the server used by the password reset feature had been accessed roughly 18,640 different times between October 2015 and September 2016 by a computer that prosecutors traced back to Mr. Powell.

Each time he alleged utilized the reset feature, Mr. Powell would have been asked to provide the user-specific answers to a pair of security questions pertaining to each account. According to prosecutors, he was able to successfully change 1,378 passwords during his supposed crime spree in connection with approximately 1,035 unique Pace email accounts.

Once the college email accounts were compromised, prosecutors believe Mr. Powell then used that access to further hack his victims. According to court documents, Mr. Powell sometimes looked to see if his victims had linked their college accounts with third-party websites, then gained access to those accounts by having the passwords reset to the college address under his control.

In a criminal complaint filed under seal Tuesday, FBI Special Agent Christopher Merrian said that Mr. Powell was able to hack into a target’s college email and then pivot to their personal Gmail account in less than 15 minutes. In that specific instance, prosecutors say Mr. Powell then searched the student’s Gmail account for terms including “password,” “naked” and “horny.”

“Powell used password reset tools to basically pick the lock of thousands of personal spaces and look around at what was stored there,” FBI Assistant Director William F. Sweeney said in a statement. “Cybercrime victims can be large companies or individual users who have their network or accounts accessed illegally, even if there is no theft. The FBI takes seriously any allegations of intrusions, and we will continue to hold accountable those who pose a threat in cyberspace.”

Authorities traced the frequent resets to an IP address that brought them to the Phoenix branch of a company where Mr. Powell worked, according to court documents.

After narrowing down the intrusions to a specific devices used by Mr. Powell, the FBI orchestrated a ruse in order to physically access the computer where he allegedly committed the crimes. A forensic investigation later showed that the computer contained databases consisting of user names and passwords for thousands of students across several college, as well as other incriminating data said to implicate him in the hacks.

Mr. Powell appeared before a Phoenix judge Wednesday and was released on his own recognizance. He’s slated to appear in a New York City courtroom next week and answer to the accusations there. He faces a maximum sentence of five years if convicted on the single count of computer fraud.

An attorney for Mr. Powell did not respond to a request for comment when contacted this week, Reuters reported. 

Authorities said Mr. Powell targeted students at more than 75 colleges using his work computer, and that a review of his browser history showed that he thoroughly researched his targets in an apparent attempt to learn the answers to their security questions. He’s believed to have successfully changed the credentials to the accounts pertaining to 1,035 Pace students, as well as 15 others at an unnamed university in Pennsylvania.

“This case should serve as a wakeup call for universities and educational institutions around the country,” said U.S. Attorney Preet Bharara, the government’s prosecutors for the Southern District of New York. “There is no greater threat to our security and personal privacy than the cyber threat, and hackers must be identified, stopped and punished.”