Man uses Facebook to break into email accounts, send nude photos of victims

The Associated Press is reporting that a California man pleaded guilty to seven felonies, all stemming from breaking into email accounts of women, looking through their sent folders for nude photos and videos, and then forwarding them off to everyone in the victim’s address book. The man would look for Facebook profiles that provided personal information like email address, birthday, favorite color, and the like. Armed with these details, he would initiate a password reset request on the email account and answer the security questions to gain access, From here, he would look through the sent messages folder for racy pictures that the woman may have sent and would then forward those images to everyone in the woman’s address book.

While everyone will be quick to point out the issues with Facebook or that people share too much information on the site, the real issue is that companies are slow to adopt robust security measures for their systems. Even worse, they frequently sabotage the front line defense (password) with a side entrance that is much easier to get through (security questions). A user could have the perfect 35 character random password, but if all an attacker needs to know is the user’s favorite color, city of birth, or father’s middle name, that random password becomes useless. Bruce Schneier has written about this multiple times in the past and says that, “if the password is controlling access to something important -- like my bank account -- then the bypass mechanism should be harder, not easier.”

Some sites, like PayPal.com and World of Warcraft, offer a token that generates a new code every 60 seconds that is requried to login. Others can send an SMS message to your phone with a code that is required to login to the site. These measures are called "two factor authentication," adding a "something you have" to the "something you know" equation.

What should we take out of this incident? Either make the answers to your “security questions” random passwords as well, or empty the sent folder after sending nude photos of yourself.

Report a problem with article
Previous Story

Sega announces Dreamcast Collection for Xbox 360, PC

Next Story

HP likely to reveal webOS netbooks alongside tablets and smartphones

44 Comments

Commenting is disabled on this article.

He was smart and yet stupid to get caught. People are just stupid because they use common info about themselves as passwords. Most of the info is right on facebook in plane site. Many use their birthday or anniversary date as the password. Or their kids birthday. Place you live? Wow how stupid is that to use. The way I see it, they deserved to have their account access stolen. Smart people rarely if ever get anything stolen from them. Its always the dumb morons.

To bad so sad you're going to jail, for a lil while. I hope it was worth it. Can you imagine the conversation - "What you in for?" "Oh I broke into a few Facebook accounts and sent naked pictures to their friends" - "Were they of yourself?" "Nah, it was pictures of them." "Really?" "Yeah, stupid right?!" "Nah, at least yours were only pictures, mine were actually the real bodies when I was finished."

What should we take out of this incident? Either make the answers to your “security questions” random passwords as well, or empty the sent folder after sending nude photos of yourself.

That's what we've learned??? How about "don't e-mail nude pictures of yourself in the first place".

Yet again this is nothing more than pilot error.

Am I the only one who to the question "What's your favorite color?" Replies "Volkswagon"?? You just have to choose one random question, and a random answer that you'll remember for all sites. My security is anyways my password. This is for the guy who wants to bypass it.

(btw, for all the smart ones here jumping on their keyboards that they now know my answer and can use it... that's not my real secret answer... :-P )

Suave Sagittarian said,
Am I the only one who to the question "What's your favorite color?" Replies "Volkswagon"?? You just have to choose one random question, and a random answer that you'll remember for all sites. My security is anyways my password. This is for the guy who wants to bypass it.

(btw, for all the smart ones here jumping on their keyboards that they now know my answer and can use it... that's not my real secret answer... :-P )


Uh huh, sure it's not!

Please note that while paypal does have that security token you still have the side door of the security questions. Ebay on the other hand requires that you call in if you lose that security token or don't have it on hand.

"If you're stupid enough to send..."

I suppose everyone here who is crucifying those that got caught with their pants down (literally) have never sent anything in email that might be embarrassing if someone else read (not just talking about photos afterall) it? This isn't limited to embarrassing information anyway. The hacker could have been looking for information about where these people bank, and try to gain access to their online banking accounts. I suppose none of you use online banking sites or have them linked to your email accounts?

The bottom line is that email should be considered private and you should have some expectation of privacy. Websites that employee "secret question" security measures don't say "make this stuff up to make it harder for others to guess" now do they? They have purposefully made their security less secure.

That being said, your personal email account should not be publically viewable on Facebook. It should be limited to those who you personally know. If a stranger wants to send you a message, they can do so via Facebook messages.

My entire profile is set to friends only. They get an unavailable error. 'nuff said.

EDIT: Actually you get an error if you are not a Facebook member at the moment. You get very little info if you are a member and are not a friend. Most information is set to friends only so very little leaks out.

Edited by shinji257, Jan 16 2011, 11:36pm :

If you're stupid enough to send out naked emails of yourself then I don't have any pity for you. I'd imagine that next family get together might be pretty awkward.

djurbino said,

7 facebook users with low security and low self esteem get their email accounts hacked.
493,000,000+ facebook users don't get their email accounts hacked.
So, sure, everyone should quit Facebook because of this.

lol

7 this time, that they know of, but how many other issues has Facebook had?

No, not everyone should QUIT Facebook. It should flat out be taken down!!
I despise that low life place, in case you can't tell?! Way to many idiots and perverts in the world for a site like that to exist, but that's just my opinion.

If you're sending nude pics of yourself around to folks, c'mon, how upset can you really be when someone gets those nude pics (you put on the interwebz!!) and sends them around to folks? ROFL

Soulsiphon said,
If you're sending nude pics of yourself around to folks, c'mon, how upset can you really be when someone gets those nude pics (you put on the interwebz!!) and sends them around to folks? ROFL

Must be quite common that people do, else he wouldn't have many victims....

Soulsiphon said,
If you're sending nude pics of yourself around to folks, c'mon, how upset can you really be when someone gets those nude pics (you put on the interwebz!!) and sends them around to folks? ROFL

So you don't mind your family members seeing you naked?

statm1 said,

So you don't mind your family members seeing you naked?

I'd prefer they not, but I mitigate that possibility BY NOT UPLOADING NUDE PICS OF MYSELF TO THE INTERNET. ya feel me?

Sounds like hes just a pervert looking for something to fap to.

Hasn't this man ever heard of porn?

Tom said,
Sounds like hes just a pervert looking for something to fap to.

Hasn't this man ever heard of porn?


With the internet at peoples disposal regular porn just doesn't tickle peoples fancies anymore. Basically normal porn just doesn't cut it for some people anymore.

but if all an attacker needs to know is the user's favorite color, city of birth, or father's middle name, that random password becomes useless.

seriously? Who said that you have to input real information in there!
The secret question option is there to make it more difficult which it does if you arent a complete moron and input your personal info.

AKLP said,

seriously? Who said that you have to input real information in there!
The secret question option is there to make it more difficult which it does if you arent a complete moron and input your personal info.

+1. It's all about making it all up!

AKLP said,

seriously? Who said that you have to input real information in there!
The secret question option is there to make it more difficult which it does if you arent a complete moron and input your personal info.

Ya. I look at the list of questions, and any family members and friends know the answers! It's really about making a second password

Val Thе Awеsome said,

I just read http://www.cracked.com/article...-lives-incredibly-easy.html this, and then came here to find a confirmation of that article. #4 and #3 at their most.


Nice article. I like this one: "One survey found that, in public, 70 percent of people would give out their passwords in exchange for chocolate." I teach a community education security class and before the class I hand everyone a form asking for information like name, email address, why they're taking the class, etc. The last question asks for their email password. At the bottom of the form, it says "If you wrote down your password, you have fallen for a social engineering attack. Nobody should ever know your password. Please cross it out on the form." At least half my class always writes the password on the form...

I would agree... but some sites make you enter those pathetic questions when logging in. I used to put fake info in until I started getting asked tthe silly questions.

I've always wondered who thought questions like that were a bright idea... now, over the past few years we've found how stupid and insecure they really are.

Julius Caro said,

+1. It's all about making it all up!


Yeah, I never put my real info on any sites. For instance, my "real" name is not real, and my location is always set to South Africa.

Astro Zombie said,

Yeah, I never put my real info on any sites. For instance, my "real" name is not real, and my location is always set to South Africa.

You just told us your (fake)location!!!!

Fezmid said,

Nice article. I like this one: "One survey found that, in public, 70 percent of people would give out their passwords in exchange for chocolate."

That study is crap...they could not verify. I have been part of one of these studies, made up something on the spot, got my candy bar and some dumbarse researcher thinks he has my password.

steveomac said,
more asking why someone would send nude pics over something as unsecured as facebook anyway.

The pics weren't on Facebook but in the email account he broke into using the info on FB