Brannan was charged with unauthorized access to a protected computer and aggravated identity theft. Court documents say that he accessed the iCloud, Yahoo, Facebook, and email accounts of more than 200 victims, both celebrities and non-celebrities.
He was able to obtain full iCloud backups, photographs, and other information using phishing email accounts that were designed to look like legitimate emails from Apple. He also hacked email accounts by answering security questions using data found on victims’ Facebook accounts.
After obtaining Apple account information, Brannan would search for “sensitive and private photographs and videos, including nude photographs.”
Brannan is one of multiple people who were found accessing and distributing celebrity photos in the 2014 attack. Ryan Collins, Edward Majerczyk, and Emilio Herrera, and George Garafano have previously been sentenced to prison terms ranging from eight months to 18 months.
When hundreds of nude celebrity photos began leaking on the internet in 2014 as part of what’s now known as the “Celebgate” attack, there was initial speculation that iCloud had been hacked.
Following an investigation, however, Apple found that the accounts in question were compromised by weak passwords and skilled phishing attempts.
Apple has since implemented multiple changes to iCloud security, adding two-factor authentication to iCloud.com, introducing email alerts when an iCloud account is accessed either on the web or on another device, and requiring app-specific passwords for third-party apps that access iCloud.
Unfortunately, the kind of phishing emails that led to the 2014 celebrity leak are still widely used today, and phishing scammers have only gotten better at what they do.
To thwart phishing attempts, Apple maintains a support page with information on how to avoid fake support calls, phishing emails, and other scam techniques that malicious individuals employ to extract information from Apple users.
Those concerned about being the victim of a phishing attack should take measures to stay safe, including using two-factor authentication, getting a password manager like 1Password and using a unique password for each and every site, and avoiding suspicious phone calls and emails, even if they look like they come from Apple.