Jonathan Powell was arrested for obtaining unauthorized access to email accounts maintained by a New York City area university, using his work computer, and causing over $5,000 of loss in the process. Powell went on to compromise social media and other online accounts linked to the university email accounts, and mined those linked accounts for the users’ login credentials and other private and confidential information. Powell also attempted to access email accounts at more than 75 other universities around the country. At the time of the alleged offense, Powell was employed by a private business at its branch office located in Phoenix, Arizona. Powell was arrested on Wednesday, November 2, and wase arraigned in federal court in Phoenix later that day before a U.S. Magistrate Judge.
According to the allegations contained in the Complaint:
From at least in or about October 2015 up to and including at least in or about September 2016, Powell obtained unauthorized access to email accounts hosted by at least two United States-based educational institutions, including one which has its primary campus in New York, New York (“University-1”). Powell obtained unauthorized access to these accounts by accessing password reset utilities maintained by the email servers at the victim institutions, which are designed to allow authorized users to reset forgotten passwords to accounts. Powell utilized the password reset utilities to change the email account passwords of students and others affiliated with those educational institutions. Once Powell gained access to the compromised email accounts (the “Compromised Accounts”), he obtained unauthorized access to other password-protected email, social media, and online accounts to which the Compromised Accounts were registered, including, but not limited to, Apple iCloud, Facebook, Google, LinkedIn, and Yahoo! accounts. Specifically, using the Compromised Accounts, Powell requested password resets for linked accounts hosted by those websites (the “Linked Accounts”), resulting in password reset emails being sent to the Compromised Accounts, which allowed Powell to change the passwords for the Linked Accounts. Powell then logged into the Linked Accounts and searched within the Linked Accounts, gaining access to private and confidential content stored in the Linked Accounts. In one instance, Powell searched a University-1 student’s linked Gmail account for digital photographs, and for the terms “password,” “naked,” “cum” and “horny.”
An analysis of University-1 password reset utility logs and other data revealed that Powell accessed the University-1 password reset utility approximately 18,640 different times between approximately October 2015 and September 2016. During that timeframe, Powell attempted approximately 18,600 password changes in connection with approximately 2,054 unique University-1 email accounts, and succeeded in making 1,378 password changes in connection with approximately 1,035 unique University-1 email accounts. (The number of successful password changes is greater than the number of compromised University-1 email accounts because certain University-1 email accounts were compromised more than once.)
In or about September 2016, POWELL repeatedly accessed the password reset utility of a second university located in Pennsylvania (“University-2”), in a similar fashion to University‑1. During that timeframe, Powell attempted to change the email passwords for approximately 220 University-2 email accounts, and successfully changed the email passwords for approximately 15 University-2 email accounts. Following the unauthorized access of those University-2 email accounts, a number of Facebook accounts linked to the compromised University-2 email accounts were also compromised.
The FBI obtained and analyzed the device (the “Device”) assigned to Powell at his place of employment in Phoenix, Arizona (the “Company”), which Powell utilized in the above-described scheme. The FBI also obtained from the Company a network backup of certain files on the Device, created on or about September 30, 2016 (the “Device Backup”), which the FBI also analyzed. The Device and Device Backup contain, among other things, a number of documents listing University-1 email account usernames and passwords. Certain documents found on the Device also contain credentials – i.e., usernames and passwords – for logging into various internet service provider (“ISP”) accounts appearing to belong to the same University‑1 email account users.
A review of the Device’s web browser history, covering the period from July 5, 2016, to October 3, 2016, revealed that Powell accessed student directories and login portals associated with more than 75 other colleges and universities (the “Other Universities”) across the United States. An analysis of the Device Backup demonstrated that the Device Backup contains several documents with filenames that refer to certain of the Other Universities. Those documents contain what appear to be login credentials for a variety of password-protected accounts linked to email accounts at certain of the Other Universities.
Powell, 29, of Phoenix, Arizona, is charged with one count of fraud in connection with computers, which carries a maximum sentence of five years in prison. The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.