Hacker involved in 'Celebgate' iCloud intrusion sentenced to prison

Posted:
in General Discussion edited August 2018
Another hacker has been sentenced to prison for their part in a phishing scheme that yielded access to the private iCloud accounts of Hollywood celebrities, an incident referred to as "Celebgate."

iCloud


According to the U.S. Attorney's Office for the District of Connecticut, George Garofano, 26, was on Wednesday sentenced to eight months in prison, followed by three years of supervised release, for instigating a phishing attack on more than 200 iCloud accounts. Victims of the hack included members of the entertainment industry, as well as non-celebrities living in Connecticut.

In court, Garofano admitted to participating in a phishing scheme from April 2013 through October 2014, soliciting for usernames and passwords in email correspondence that appeared to be from an official Apple security account. Targets were either asked to provide their information directly or to input the sensitive data on a third-party website.

Garofano used the credentials he obtained to gain unauthorized access to about 240 iCloud accounts, where he purloined private, and sometimes sensitive, data including photos and video. The hacker also traded usernames and passwords, as well as gathered material, with other individuals.

The U.S. Attorney's Office for the Central District of California filed charges against Garofano in January and the case was subsequently transferred to the District of Connecticut. Garofano pleaded guilty to one count of unauthorized access to a protected computer to obtain information in April.

In 2014, a cache of private media pulled from the iCloud and Google accounts of prominent public figures circulated through the dark web and ultimately saw wide distribution via file sharing protocols like BitTorrent.

Media reports at the time incorrectly blamed the alleged leak on an iCloud data breach, but Apple quickly denied those claims. A subsequent federal investigation revealed a small band of hackers was responsible for the initial data theft, largely accomplished through phishing and spear phishing schemes.

Garofano is the latest "Celebgate" offender to see prison time. Last year, an Illinois man was sentenced to 9 months in prison for a related phishing attack targeting more than 300 iCloud and Gmail accounts. Prior to that, a Pennsylvania man was sentenced to 18 months in prison for accessing 50 iCloud accounts and 72 Gmail accounts in 2016.
«1

Comments

  • Reply 1 of 22
    claire1claire1 Posts: 510unconfirmed, member
    And the android slaves will still LIE and say iCloud was hacked while handing their personal data to google......(and ignoring the fact more than iCloud was "hacked" including Google Drive)
    lkruppracerhomie3Muntzrazorpitwatto_cobra
  • Reply 2 of 22
    claire1 said:
    And the android slaves will still LIE and say iCloud was hacked while handing their personal data to google......(and ignoring the fact more than iCloud was "hacked" including Google Drive)

    I still see idiots spouting this. They reference that “hacker” who claimed you could brute force iCloud passwords. When several people tried to duplicate his method and found it didn’t work, he simply replied “Well, it used to work so Apple must have fixed it”. Never mind the fact he provided zero proof that it ever worked.

    Hacker discovers one of the most newsworthy exploits in recent memory, doesn’t document any of it, and just expects people to take his word for it. Apparently a lot of gullible (and frankly, stupid) people did. 
    claire1Muntzwatto_cobrajony0
  • Reply 3 of 22
    lkrupplkrupp Posts: 9,991member
    claire1 said:
    And the android slaves will still LIE and say iCloud was hacked while handing their personal data to google......(and ignoring the fact more than iCloud was "hacked" including Google Drive)
    It’s the human condition. We just see it more when it comes to the tech world. People develop attitudes and opinions that they protect viciously, rejecting facts or evidence that contradict their settled on points of view. We see it whenever an article appears regarding carriers like AT&T, Verizon, T-Mobile, Sprint. The comment thread is immediately populated by those with any kind of axe to grind against a carrier they have determined to have treated them badly or unfairly. Take the anti-science crowd who literally makes crap up to explain their take on settled scientific theory. Just look at all the “Einstein was wrong and I’m right” bullshit that permeates the Internet. Or take the religious literal zealots who claim that fossils were put there by Satan to fool mankind into thinking the world is much older than the Bible says it is. You can’t have a discussion with that kind of thinking so why even try. So ignore the Android “slaves”as you call them because they are who they are. Apple hatred is a cottage industry and always has been. You can’t fight it because it’s so ignorant. Apple has managed to become the most influential and dominant tech company on the planet by ignoring the haters. You should too.
    claire1radarthekatMuntzdewmelamboaudi4watto_cobrajony0
  • Reply 4 of 22
    claire1claire1 Posts: 510unconfirmed, member
    lkrupp said:
    claire1 said:
    And the android slaves will still LIE and say iCloud was hacked while handing their personal data to google......(and ignoring the fact more than iCloud was "hacked" including Google Drive)
    It’s the human condition. We just see it more when it comes to the tech world. People develop attitudes and opinions that they protect viciously, rejecting facts or evidence that contradict their settled on points of view. We see it whenever an article appears regarding carriers like AT&T, Verizon, T-Mobile, Sprint. The comment thread is immediately populated by those with any kind of axe to grind against a carrier they have determined to have treated them badly or unfairly. Take the anti-science crowd who literally makes crap up to explain their take on settled scientific theory. Just look at all the “Einstein was wrong and I’m right” bullshit that permeates the Internet. Or take the religious literal zealots who claim that fossils were put there by Satan to fool mankind into thinking the world is much older than the Bible says it is. You can’t have a discussion with that kind of thinking so why even try. So ignore the Android “slaves”as you call them because they are who they are. Apple hatred is a cottage industry and always has been. You can’t fight it because it’s so ignorant. Apple has managed to become the most influential and dominant tech company on the planet by ignoring the haters. You should too.
    I believe in God but don't deny science.

    Good advice about ignoring the haters but stupidity gets to the core of me.

    And I call them "slaves" because I was sick of them calling people who buy REAL iPhones "sheep" even though Apple has a small marketing budget for their size. "Slaves" because even after telling them they're the product and their data is sold for profit, they'll still defend their master.
    MuntzSpamSandwichwatto_cobrajony0
  • Reply 5 of 22
    MacProMacPro Posts: 19,483member
    claire1 said:
    And the android slaves will still LIE and say iCloud was hacked while handing their personal data to google......(and ignoring the fact more than iCloud was "hacked" including Google Drive)
    Hacked isn't even relevant, they were phished I would assume.
    MuntzSpamSandwichwatto_cobra
  • Reply 6 of 22
    These scammers/phisers should be sentenced much longer than a few months. Give them 10+ years!
    JFC_PAMuntzSpamSandwichwatto_cobrajony0
  • Reply 7 of 22
    JFC_PAJFC_PA Posts: 707member
    Yes, the short sentences are wrong. People no doubt were hurt in various ways includung monetarily. Civil suits?
    Muntzwatto_cobra
  • Reply 8 of 22
    YvLyYvLy Posts: 89member
    8 months?? That's it??
    Muntzjony0
  • Reply 9 of 22
    YvLy said:
    8 months?? That's it??

    Considering he did his community service by letting people see nude celebs, 8 months is fine!!
    watto_cobra
  • Reply 10 of 22
    oodlumoodlum Posts: 40member
    Celebgate? Don't you mean The Fappening? Asking for a friend.
    Muntz78BanditSpamSandwichllamaairnerdjony0
  • Reply 11 of 22
    oodlumoodlum Posts: 40member
    claire1 said:
    And the android slaves will still LIE and say iCloud was hacked while handing their personal data to google......(and ignoring the fact more than iCloud was "hacked" including Google Drive)
    Apple still dropped the ball by not requiring an authentication code when logging via an unknown device. Apple encouraged it's users to allow the automatic upload of their private photos to the cloud. What could go wrong? 

    Their duty of care was huge. This was totally foreseeable and avoidable.

    (Not a hater or troll - Apple user since '95)
    edited August 2018
  • Reply 12 of 22
    Unless they made any money from it I'm afraid I don't see what they did that was so bad. They GUESSED someone's password and/or security info.

    If you put private stuff online, it's your own responsibility to make sure the access is secure enough. Just like when I put my classic cars into a garage, it's MY responsibility to ensure the locks on the garage door and cctv monitoring it are up to the job.

    Had the passwords came from a leaked database elsewhere then the fault lies with the database owner's lack of security, still not the "hacker"s blame imho.
  • Reply 13 of 22
    crowleycrowley Posts: 10,143member
    adm1 said:
    Unless they made any money from it I'm afraid I don't see what they did that was so bad. They GUESSED someone's password and/or security info.

    If you put private stuff online, it's your own responsibility to make sure the access is secure enough. Just like when I put my classic cars into a garage, it's MY responsibility to ensure the locks on the garage door and cctv monitoring it are up to the job.

    Had the passwords came from a leaked database elsewhere then the fault lies with the database owner's lack of security, still not the "hacker"s blame imho.
    What kind of creepy ass shit is this?

    I hope someone steals nude photos of you, then your address and your bank details, then your internet history, and publishes for all the world to see.  I'm sure then you'll be self-effacing about how it's all your fault really, and the hacker didn't do anything bad.
  • Reply 14 of 22
    claire1 said:
    I believe in God but don't deny science.

    Good advice about ignoring the haters but stupidity gets to the core of me.

    And I call them "slaves" because I was sick of them calling people who buy REAL iPhones "sheep" even though Apple has a small marketing budget for their size. "Slaves" because even after telling them they're the product and their data is sold for profit, they'll still defend their master.
    Did one of them steal your car or rape your partner? :D :D :D Reminds me of 2010!
  • Reply 15 of 22
    dewmedewme Posts: 4,241member
    This is a slap on the wrist but I’m glad to see that these crimes are being prosecuted and the people who are convicted are going to jail. Maybe someone will post some jailhouse pictures of this guy with his new roommate on social media. 
  • Reply 16 of 22
    crowley said:
    adm1 said:
    Unless they made any money from it I'm afraid I don't see what they did that was so bad. They GUESSED someone's password and/or security info.

    If you put private stuff online, it's your own responsibility to make sure the access is secure enough. Just like when I put my classic cars into a garage, it's MY responsibility to ensure the locks on the garage door and cctv monitoring it are up to the job.

    Had the passwords came from a leaked database elsewhere then the fault lies with the database owner's lack of security, still not the "hacker"s blame imho.
    What kind of creepy ass shit is this?

    I hope someone steals nude photos of you, then your address and your bank details, then your internet history, and publishes for all the world to see.  I'm sure then you'll be self-effacing about how it's all your fault really, and the hacker didn't do anything bad.
    For one, I don't have or put "nude photos" of myself online - I don't understand the need people have to do that anyway. My address is already easily found online, in the UK, you're listed automatically in phone books, on the land registry, and marketing lists if you're registered to vote etc. etc. Bank Details, how exactly would that be found from my iCloud files? (please tell me, I'm genuinely curious). Internet history, go ahead, I've nothing to hide yet I'm not sure what a list of appleinsider, ebay and skysports website links will benefit anyone. If I've ever cleared my history/cache it's purely to speed up chrome, not to hide anything. I'm a nobody in the grand scheme of things, I nor anyone else couldn't care less if it was "published for the world to see". My point still stands; if you want something to be private, make sure it is secure.

    For the record, my credit card details were stolen one time, from a Debenhams database that was "hacked". As I said above - if the passwords came from a leaked database, the fault lies with the database owner. 
  • Reply 17 of 22
    linkmanlinkman Posts: 1,027member
    adm1 said:
    Unless they made any money from it I'm afraid I don't see what they did that was so bad. They GUESSED someone's password and/or security info.

    If you put private stuff online, it's your own responsibility to make sure the access is secure enough. Just like when I put my classic cars into a garage, it's MY responsibility to ensure the locks on the garage door and cctv monitoring it are up to the job.

    Had the passwords came from a leaked database elsewhere then the fault lies with the database owner's lack of security, still not the "hacker"s blame imho.
    They didn't guess the passwords. They were phished. Security info may have been compromised by educated guesses -- such as "city you were born in" for a challenge question and the person that was hacked used the actual city they were born in (and for celebrities, that isn't tough to find).

    If a hacker had obtained the passwords from an insecure DB, then the hacker is still mostly to blame. Leaving my car unlocked and with items in plain view certainly doesn't absolve a thief from stealing items from my car seat.
  • Reply 18 of 22
    crowleycrowley Posts: 10,143member
    adm1 said:
    crowley said:
    adm1 said:
    Unless they made any money from it I'm afraid I don't see what they did that was so bad. They GUESSED someone's password and/or security info.

    If you put private stuff online, it's your own responsibility to make sure the access is secure enough. Just like when I put my classic cars into a garage, it's MY responsibility to ensure the locks on the garage door and cctv monitoring it are up to the job.

    Had the passwords came from a leaked database elsewhere then the fault lies with the database owner's lack of security, still not the "hacker"s blame imho.
    What kind of creepy ass shit is this?

    I hope someone steals nude photos of you, then your address and your bank details, then your internet history, and publishes for all the world to see.  I'm sure then you'll be self-effacing about how it's all your fault really, and the hacker didn't do anything bad.
    For one, I don't have or put "nude photos" of myself online - I don't understand the need people have to do that anyway. My address is already easily found online, in the UK, you're listed automatically in phone books, on the land registry, and marketing lists if you're registered to vote etc. etc. Bank Details, how exactly would that be found from my iCloud files? (please tell me, I'm genuinely curious). Internet history, go ahead, I've nothing to hide yet I'm not sure what a list of appleinsider, ebay and skysports website links will benefit anyone. If I've ever cleared my history/cache it's purely to speed up chrome, not to hide anything. I'm a nobody in the grand scheme of things, I nor anyone else couldn't care less if it was "published for the world to see". My point still stands; if you want something to be private, make sure it is secure.

    For the record, my credit card details were stolen one time, from a Debenhams database that was "hacked". As I said above - if the passwords came from a leaked database, the fault lies with the database owner. 
    But nothing is absolutely secure, a determined criminal with time and resources can get anything he or she wants.  Your house is not secure enough to content with the ingenuity of a determined person, should you hold yourself responsible when your possessions are ransacked because you only had twelve locks on the door? 

    This is so obviously nonsense from someone privileged enough to have never significantly been a victim.  Debenhams may have been at fault when they were hacked, but that obviously doesn't mean the hacker isn't a criminal.  They are.  And if they cause material or personal harm while perpetuating criminal actions then they deserve to have the book thrown at them.  "Unless they made money" is such a cop-out; they caused a huge amount of pain, and your attitude is borderline sociopathic.
  • Reply 19 of 22
    crowley said:
    adm1 said:
    crowley said:
    adm1 said:
    Unless they made any money from it I'm afraid I don't see what they did that was so bad. They GUESSED someone's password and/or security info.

    If you put private stuff online, it's your own responsibility to make sure the access is secure enough. Just like when I put my classic cars into a garage, it's MY responsibility to ensure the locks on the garage door and cctv monitoring it are up to the job.

    Had the passwords came from a leaked database elsewhere then the fault lies with the database owner's lack of security, still not the "hacker"s blame imho.
    What kind of creepy ass shit is this?

    I hope someone steals nude photos of you, then your address and your bank details, then your internet history, and publishes for all the world to see.  I'm sure then you'll be self-effacing about how it's all your fault really, and the hacker didn't do anything bad.
    For one, I don't have or put "nude photos" of myself online - I don't understand the need people have to do that anyway. My address is already easily found online, in the UK, you're listed automatically in phone books, on the land registry, and marketing lists if you're registered to vote etc. etc. Bank Details, how exactly would that be found from my iCloud files? (please tell me, I'm genuinely curious). Internet history, go ahead, I've nothing to hide yet I'm not sure what a list of appleinsider, ebay and skysports website links will benefit anyone. If I've ever cleared my history/cache it's purely to speed up chrome, not to hide anything. I'm a nobody in the grand scheme of things, I nor anyone else couldn't care less if it was "published for the world to see". My point still stands; if you want something to be private, make sure it is secure.

    For the record, my credit card details were stolen one time, from a Debenhams database that was "hacked". As I said above - if the passwords came from a leaked database, the fault lies with the database owner. 
    But nothing is absolutely secure, a determined criminal with time and resources can get anything he or she wants.  Your house is not secure enough to content with the ingenuity of a determined person, should you hold yourself responsible when your possessions are ransacked because you only had twelve locks on the door? 

    This is so obviously nonsense from someone privileged enough to have never significantly been a victim.  Debenhams may have been at fault when they were hacked, but that obviously doesn't mean the hacker isn't a criminal.  They are.  And if they cause material or personal harm while perpetuating criminal actions then they deserve to have the book thrown at them.  "Unless they made money" is such a cop-out; they caused a huge amount of pain, and your attitude is borderline sociopathic.
    You're taking things to the extreme as usual, there's a difference in doing all you physically can do vs doing the bare minimum - multiple types of locks on the door vs a matched-key single 20mm padlock. Even if I clarified my sentence to say "...make sure - as far as humanly possible - that it's secure", you'd still argue it. Did I say the debenhams hacker wasn't a criminal? Stealing and using credit card info is very different from guessing someone's password and downloading a photo. So what is this "pain" you refer to, is it embarrassment? Hmm, not sure about yourself but if I was a famous celeb with paparazi around every corner tripping over themselves to get a embarrassing or "nude" photo of me, I sure as hell wouldn't be uploading sex tapes online without at least 2-factor authentication. tbh I wouldn't be uploading that sh*t in the first place let alone recording it. Some celebs actually revel in that stuff, any publicity is good publicity to some.

    btw you're the one who in just two posts has hoped this all happens to me, name calls, categorises and accuses, yet I'm the sociopath? nice.

    edit* - still waiting to hear how my access to my iCloud files gives someone my bank details?
    edited August 2018
  • Reply 20 of 22
    crowleycrowley Posts: 10,143member
    adm1 said:
    crowley said:
    adm1 said:
    crowley said:
    adm1 said:
    Unless they made any money from it I'm afraid I don't see what they did that was so bad. They GUESSED someone's password and/or security info.

    If you put private stuff online, it's your own responsibility to make sure the access is secure enough. Just like when I put my classic cars into a garage, it's MY responsibility to ensure the locks on the garage door and cctv monitoring it are up to the job.

    Had the passwords came from a leaked database elsewhere then the fault lies with the database owner's lack of security, still not the "hacker"s blame imho.
    What kind of creepy ass shit is this?

    I hope someone steals nude photos of you, then your address and your bank details, then your internet history, and publishes for all the world to see.  I'm sure then you'll be self-effacing about how it's all your fault really, and the hacker didn't do anything bad.
    For one, I don't have or put "nude photos" of myself online - I don't understand the need people have to do that anyway. My address is already easily found online, in the UK, you're listed automatically in phone books, on the land registry, and marketing lists if you're registered to vote etc. etc. Bank Details, how exactly would that be found from my iCloud files? (please tell me, I'm genuinely curious). Internet history, go ahead, I've nothing to hide yet I'm not sure what a list of appleinsider, ebay and skysports website links will benefit anyone. If I've ever cleared my history/cache it's purely to speed up chrome, not to hide anything. I'm a nobody in the grand scheme of things, I nor anyone else couldn't care less if it was "published for the world to see". My point still stands; if you want something to be private, make sure it is secure.

    For the record, my credit card details were stolen one time, from a Debenhams database that was "hacked". As I said above - if the passwords came from a leaked database, the fault lies with the database owner. 
    But nothing is absolutely secure, a determined criminal with time and resources can get anything he or she wants.  Your house is not secure enough to content with the ingenuity of a determined person, should you hold yourself responsible when your possessions are ransacked because you only had twelve locks on the door? 

    This is so obviously nonsense from someone privileged enough to have never significantly been a victim.  Debenhams may have been at fault when they were hacked, but that obviously doesn't mean the hacker isn't a criminal.  They are.  And if they cause material or personal harm while perpetuating criminal actions then they deserve to have the book thrown at them.  "Unless they made money" is such a cop-out; they caused a huge amount of pain, and your attitude is borderline sociopathic.
    You're taking things to the extreme as usual, there's a difference in doing all you physically can do vs doing the bare minimum - multiple types of locks on the door vs a matched-key single 20mm padlock. Even if I clarified my sentence to say "...make sure - as far as humanly possible - that it's secure", you'd still argue it. Did I say the debenhams hacker wasn't a criminal? Stealing and using credit card info is very different from guessing someone's password and downloading a photo. So what is this "pain" you refer to, is it embarrassment? Hmm, not sure about yourself but if I was a famous celeb with paparazi around every corner tripping over themselves to get a embarrassing or "nude" photo of me, I sure as hell wouldn't be uploading sex tapes online without at least 2-factor authentication. tbh I wouldn't be uploading that sh*t in the first place let alone recording it. Some celebs actually revel in that stuff, any publicity is good publicity to some.

    btw you're the one who in just two posts has hoped this all happens to me, name calls, categorises and accuses, yet I'm the sociopath? nice.

    edit* - still waiting to hear how my access to my iCloud files gives someone my bank details?
    I never said access to iCloud gave anyone access to bank details, so why would I need to tell you how?  You've made up that factoid all on your own. 

    "Celebs" are allowed to upload anything they like to a secure cloud service, just the same as you, and have an expectation that it will remain private.  If they are reckless with their password choices, or prone to being fooled by phishing schemes, or the cloud vendor is lax in their approaches, sure, some element of responsibility can be apportioned appropriately, but that doesn't take away from the fact that the individual breaking into another person's private data and using it for their own purposes is guilty of a crime.  Your bullshit about "some celebs actually revel in this stuff" is pretty gross.  Some might, but a lot don't, and it's irrelevant either way; they should always have a choice, and it shouldn't be down to whether money was lost to determine if there has been wrongdoing.  Money isn't everything, privacy is worth a lot without a $ value being attached.
Sign In or Register to comment.