Student emails hacked in search of “embarrassing content”
On Wednesday, Nov. 2, an Arizona man was arrested for hacking into the student email accounts at two universities, including Pace University. Jonathan Powell, 29, also accessed student directories and login portals at 75 other higher-education institutions across the nation.
The U.S. Attorney’s office report states that Powell used a password reset tool to access the student accounts and successfully changed the passwords for over a thousand accounts. He then used the information on these accounts to access other online accounts—such as Facebook, LinkedIn and Google—that were linked to the university emails and mined those accounts for the users’ confidential information.
Powell also used this information to search for photos of “potentially embarrassing content” according to Manhattan U.S. Attorney Preet Bharara. In one particular instance, he searched for photos and keywords such as “naked” and “horny.”
After conducting an internal investigation, the University contacted the FBI to report that many students reported changes to their account passwords in Aug. 2016, according to a University spokesman. The FBI then proceeded to investigate and tracked the IP address of the hacking to Powell’s work computer. The computer showed records of Powell’s previous attempts to access 2,054 Pace students email accounts, 220 email accounts from an unidentified Pennsylvania university, and login portals to another 75 university servers.
Powell was arrested and is expected to be charged with one count of fraud in Phoenix. If he is found guilty, Powell will face a maximum of five years in prison. For now, he has been released following a hearing in federal court. Powell’s lawyer has not released a comment.
While the university in Pennsylvania has not confirmed its identity, Pace University confirmed in a statement that it was the New York City campus who was affected, with 1,035 emails affected out of the 2,054 attempts. In Pennsylvania, Powell only succeeded with 15 of the 220 attempts he made.
The University has not informed the student body via email or social media.
UPDATED – Nov. 5, 10:30 a.m.
The University’s internal investigation did not find any evidence that personal information such as social security numbers or credit card information had been accessed, according to a statement from the University. The investigation was turned over to the FBI after the University’s on-call cybersecurity team determined that the hack came from outside the University and that non-Pace accounts had been compromised.
The University still has not addressed the student body on the issue.