Man uses Facebook to break into email accounts, send nude photos of victims

The Associated Press is reporting that a California man pleaded guilty to seven felonies, all stemming from breaking into email accounts of women, looking through their sent folders for nude photos and videos, and then forwarding them off to everyone in the victim’s address book. The man would look for Facebook profiles that provided personal information like email address, birthday, favorite color, and the like. Armed with these details, he would initiate a password reset request on the email account and answer the security questions to gain access, From here, he would look through the sent messages folder for racy pictures that the woman may have sent and would then forward those images to everyone in the woman’s address book.

While everyone will be quick to point out the issues with Facebook or that people share too much information on the site, the real issue is that companies are slow to adopt robust security measures for their systems. Even worse, they frequently sabotage the front line defense (password) with a side entrance that is much easier to get through (security questions). A user could have the perfect 35 character random password, but if all an attacker needs to know is the user’s favorite color, city of birth, or father’s middle name, that random password becomes useless. Bruce Schneier has written about this multiple times in the past and says that, “if the password is controlling access to something important -- like my bank account -- then the bypass mechanism should be harder, not easier.”

Some sites, like PayPal.com and World of Warcraft, offer a token that generates a new code every 60 seconds that is requried to login. Others can send an SMS message to your phone with a code that is required to login to the site. These measures are called "two factor authentication," adding a "something you have" to the "something you know" equation.

What should we take out of this incident? Either make the answers to your “security questions” random passwords as well, or empty the sent folder after sending nude photos of yourself.

Report a problem with article
Previous Story

Sega announces Dreamcast Collection for Xbox 360, PC

Next Story

HP likely to reveal webOS netbooks alongside tablets and smartphones

44 Comments

View more comments

If you're sending nude pics of yourself around to folks, c'mon, how upset can you really be when someone gets those nude pics (you put on the interwebz!!) and sends them around to folks? ROFL

Soulsiphon said,
If you're sending nude pics of yourself around to folks, c'mon, how upset can you really be when someone gets those nude pics (you put on the interwebz!!) and sends them around to folks? ROFL

Must be quite common that people do, else he wouldn't have many victims....

Soulsiphon said,
If you're sending nude pics of yourself around to folks, c'mon, how upset can you really be when someone gets those nude pics (you put on the interwebz!!) and sends them around to folks? ROFL

So you don't mind your family members seeing you naked?

statm1 said,

So you don't mind your family members seeing you naked?

I'd prefer they not, but I mitigate that possibility BY NOT UPLOADING NUDE PICS OF MYSELF TO THE INTERNET. ya feel me?

djurbino said,

7 facebook users with low security and low self esteem get their email accounts hacked.
493,000,000+ facebook users don't get their email accounts hacked.
So, sure, everyone should quit Facebook because of this.

lol

7 this time, that they know of, but how many other issues has Facebook had?

No, not everyone should QUIT Facebook. It should flat out be taken down!!
I despise that low life place, in case you can't tell?! Way to many idiots and perverts in the world for a site like that to exist, but that's just my opinion.

If you're stupid enough to send out naked emails of yourself then I don't have any pity for you. I'd imagine that next family get together might be pretty awkward.

"If you're stupid enough to send..."

I suppose everyone here who is crucifying those that got caught with their pants down (literally) have never sent anything in email that might be embarrassing if someone else read (not just talking about photos afterall) it? This isn't limited to embarrassing information anyway. The hacker could have been looking for information about where these people bank, and try to gain access to their online banking accounts. I suppose none of you use online banking sites or have them linked to your email accounts?

The bottom line is that email should be considered private and you should have some expectation of privacy. Websites that employee "secret question" security measures don't say "make this stuff up to make it harder for others to guess" now do they? They have purposefully made their security less secure.

That being said, your personal email account should not be publically viewable on Facebook. It should be limited to those who you personally know. If a stranger wants to send you a message, they can do so via Facebook messages.

My entire profile is set to friends only. They get an unavailable error. 'nuff said.

EDIT: Actually you get an error if you are not a Facebook member at the moment. You get very little info if you are a member and are not a friend. Most information is set to friends only so very little leaks out.

Edited by shinji257, Jan 16 2011, 11:36pm :

Please note that while paypal does have that security token you still have the side door of the security questions. Ebay on the other hand requires that you call in if you lose that security token or don't have it on hand.

Am I the only one who to the question "What's your favorite color?" Replies "Volkswagon"?? You just have to choose one random question, and a random answer that you'll remember for all sites. My security is anyways my password. This is for the guy who wants to bypass it.

(btw, for all the smart ones here jumping on their keyboards that they now know my answer and can use it... that's not my real secret answer... :-P )

Suave Sagittarian said,
Am I the only one who to the question "What's your favorite color?" Replies "Volkswagon"?? You just have to choose one random question, and a random answer that you'll remember for all sites. My security is anyways my password. This is for the guy who wants to bypass it.

(btw, for all the smart ones here jumping on their keyboards that they now know my answer and can use it... that's not my real secret answer... :-P )


Uh huh, sure it's not!

What should we take out of this incident? Either make the answers to your “security questions” random passwords as well, or empty the sent folder after sending nude photos of yourself.

That's what we've learned??? How about "don't e-mail nude pictures of yourself in the first place".

Yet again this is nothing more than pilot error.

He was smart and yet stupid to get caught. People are just stupid because they use common info about themselves as passwords. Most of the info is right on facebook in plane site. Many use their birthday or anniversary date as the password. Or their kids birthday. Place you live? Wow how stupid is that to use. The way I see it, they deserved to have their account access stolen. Smart people rarely if ever get anything stolen from them. Its always the dumb morons.

To bad so sad you're going to jail, for a lil while. I hope it was worth it. Can you imagine the conversation - "What you in for?" "Oh I broke into a few Facebook accounts and sent naked pictures to their friends" - "Were they of yourself?" "Nah, it was pictures of them." "Really?" "Yeah, stupid right?!" "Nah, at least yours were only pictures, mine were actually the real bodies when I was finished."

Commenting is disabled on this article.