Hacker involved in 'Celebgate' iCloud intrusion sentenced to prison
Another hacker has been sentenced to prison for their part in a phishing scheme that yielded access to the private iCloud accounts of Hollywood celebrities, an incident referred to as "Celebgate."
According to the U.S. Attorney's Office for the District of Connecticut, George Garofano, 26, was on Wednesday sentenced to eight months in prison, followed by three years of supervised release, for instigating a phishing attack on more than 200 iCloud accounts. Victims of the hack included members of the entertainment industry, as well as non-celebrities living in Connecticut.
In court, Garofano admitted to participating in a phishing scheme from April 2013 through October 2014, soliciting for usernames and passwords in email correspondence that appeared to be from an official Apple security account. Targets were either asked to provide their information directly or to input the sensitive data on a third-party website.
Garofano used the credentials he obtained to gain unauthorized access to about 240 iCloud accounts, where he purloined private, and sometimes sensitive, data including photos and video. The hacker also traded usernames and passwords, as well as gathered material, with other individuals.
The U.S. Attorney's Office for the Central District of California filed charges against Garofano in January and the case was subsequently transferred to the District of Connecticut. Garofano pleaded guilty to one count of unauthorized access to a protected computer to obtain information in April.
In 2014, a cache of private media pulled from the iCloud and Google accounts of prominent public figures circulated through the dark web and ultimately saw wide distribution via file sharing protocols like BitTorrent.
Media reports at the time incorrectly blamed the alleged leak on an iCloud data breach, but Apple quickly denied those claims. A subsequent federal investigation revealed a small band of hackers was responsible for the initial data theft, largely accomplished through phishing and spear phishing schemes.
Garofano is the latest "Celebgate" offender to see prison time. Last year, an Illinois man was sentenced to 9 months in prison for a related phishing attack targeting more than 300 iCloud and Gmail accounts. Prior to that, a Pennsylvania man was sentenced to 18 months in prison for accessing 50 iCloud accounts and 72 Gmail accounts in 2016.
According to the U.S. Attorney's Office for the District of Connecticut, George Garofano, 26, was on Wednesday sentenced to eight months in prison, followed by three years of supervised release, for instigating a phishing attack on more than 200 iCloud accounts. Victims of the hack included members of the entertainment industry, as well as non-celebrities living in Connecticut.
In court, Garofano admitted to participating in a phishing scheme from April 2013 through October 2014, soliciting for usernames and passwords in email correspondence that appeared to be from an official Apple security account. Targets were either asked to provide their information directly or to input the sensitive data on a third-party website.
Garofano used the credentials he obtained to gain unauthorized access to about 240 iCloud accounts, where he purloined private, and sometimes sensitive, data including photos and video. The hacker also traded usernames and passwords, as well as gathered material, with other individuals.
The U.S. Attorney's Office for the Central District of California filed charges against Garofano in January and the case was subsequently transferred to the District of Connecticut. Garofano pleaded guilty to one count of unauthorized access to a protected computer to obtain information in April.
In 2014, a cache of private media pulled from the iCloud and Google accounts of prominent public figures circulated through the dark web and ultimately saw wide distribution via file sharing protocols like BitTorrent.
Media reports at the time incorrectly blamed the alleged leak on an iCloud data breach, but Apple quickly denied those claims. A subsequent federal investigation revealed a small band of hackers was responsible for the initial data theft, largely accomplished through phishing and spear phishing schemes.
Garofano is the latest "Celebgate" offender to see prison time. Last year, an Illinois man was sentenced to 9 months in prison for a related phishing attack targeting more than 300 iCloud and Gmail accounts. Prior to that, a Pennsylvania man was sentenced to 18 months in prison for accessing 50 iCloud accounts and 72 Gmail accounts in 2016.
Comments
I still see idiots spouting this. They reference that “hacker” who claimed you could brute force iCloud passwords. When several people tried to duplicate his method and found it didn’t work, he simply replied “Well, it used to work so Apple must have fixed it”. Never mind the fact he provided zero proof that it ever worked.
Hacker discovers one of the most newsworthy exploits in recent memory, doesn’t document any of it, and just expects people to take his word for it. Apparently a lot of gullible (and frankly, stupid) people did.
Good advice about ignoring the haters but stupidity gets to the core of me.
And I call them "slaves" because I was sick of them calling people who buy REAL iPhones "sheep" even though Apple has a small marketing budget for their size. "Slaves" because even after telling them they're the product and their data is sold for profit, they'll still defend their master.
Considering he did his community service by letting people see nude celebs, 8 months is fine!!
Their duty of care was huge. This was totally foreseeable and avoidable.
(Not a hater or troll - Apple user since '95)
If you put private stuff online, it's your own responsibility to make sure the access is secure enough. Just like when I put my classic cars into a garage, it's MY responsibility to ensure the locks on the garage door and cctv monitoring it are up to the job.
Had the passwords came from a leaked database elsewhere then the fault lies with the database owner's lack of security, still not the "hacker"s blame imho.
I hope someone steals nude photos of you, then your address and your bank details, then your internet history, and publishes for all the world to see. I'm sure then you'll be self-effacing about how it's all your fault really, and the hacker didn't do anything bad.
For the record, my credit card details were stolen one time, from a Debenhams database that was "hacked". As I said above - if the passwords came from a leaked database, the fault lies with the database owner.
If a hacker had obtained the passwords from an insecure DB, then the hacker is still mostly to blame. Leaving my car unlocked and with items in plain view certainly doesn't absolve a thief from stealing items from my car seat.
This is so obviously nonsense from someone privileged enough to have never significantly been a victim. Debenhams may have been at fault when they were hacked, but that obviously doesn't mean the hacker isn't a criminal. They are. And if they cause material or personal harm while perpetuating criminal actions then they deserve to have the book thrown at them. "Unless they made money" is such a cop-out; they caused a huge amount of pain, and your attitude is borderline sociopathic.
btw you're the one who in just two posts has hoped this all happens to me, name calls, categorises and accuses, yet I'm the sociopath? nice.
edit* - still waiting to hear how my access to my iCloud files gives someone my bank details?
"Celebs" are allowed to upload anything they like to a secure cloud service, just the same as you, and have an expectation that it will remain private. If they are reckless with their password choices, or prone to being fooled by phishing schemes, or the cloud vendor is lax in their approaches, sure, some element of responsibility can be apportioned appropriately, but that doesn't take away from the fact that the individual breaking into another person's private data and using it for their own purposes is guilty of a crime. Your bullshit about "some celebs actually revel in this stuff" is pretty gross. Some might, but a lot don't, and it's irrelevant either way; they should always have a choice, and it shouldn't be down to whether money was lost to determine if there has been wrongdoing. Money isn't everything, privacy is worth a lot without a $ value being attached.