Celebrity Hacking Scandal Continues, Hacker Apologizes
On November 13, 2010, 34-year old Jacksonville, Florida resident Christopher Chaney used his hacking skill for unreleased nude photos of celebrities. According to court documents, he had the e-mail address for celebrity stylist and handbag designer Simone Harouche, but he didn’t have Harouche’s password. No matter; after connecting to Apple’s e-mail servers, Chaney used the password reset feature. He answered the required security questions by supplying publicly available information gleaned from the Internet—and he was in. What to do next?
Account settings were a top priority. From there, Chaney could have a copy of all Harouche’s incoming e-mail mirrored to email@example.com—an account created especially for this purpose. Even after Harouche regained control of her account, she was unlikely to start poking around immediately in her account settings, and Chaney might maintain his virtual view of her life for weeks or even months.
Chaney went on a spree, cracking more than 50 celebrity e-mail accounts, including those belonging to Mila Kunis and Scarlett Johansson. On January 1, 2011, Chaney celebrated the new year by logging into Johansson’s Yahoo e-mail account once more and sending a message to a friend asking the friend to please send back copies of some private photographs.
Chaney obtained several photos of Johansson in various stages of undress and released them online. Johansson commented on the photos to Vanity Fair last December:
She confessed she had taken them herself with her smartphone. “Those are old, from three years ago. They were sent to my husband,” she explained, referring to her now ex, Ryan Reynolds. “There’s nothing wrong with that. It’s not like I was shooting a porno—although there’s nothing wrong with that either.” It’s still a dangerous habit for a movie star. Worse than getting her phone hacked, she might make herself look bad: “You’re hardly a professional photographer.”
With the mirroring in place, a quick stroll through the actual contents of the account might be in order. For Hollywood celebrities, a search of all e-mails containing attachments could bring up everything from film scripts to scans of a driver’s license to intimate photos. When he found these last items, Chaney saved them to separate folders on his computer. He then used three e-mail accounts with names like firstname.lastname@example.org—an I’m-better-than-you reference to a 2008 hacker named “trainreq” who had broken into Miley Cyrus’s Gmail account—to distribute nude pictures to various Internet sites.
But such pictures weren’t always sitting around, waiting to be downloaded; sometimes Chaney had to work for them.
Which led him to Harouche’s contacts list. Thanks to electronic address books, the successful hack of a single well-connected individual like Harouche might turn up all sorts of private celebrity e-mail addresses, the raw material for future attacks on new accounts. In this case, Harouche knew singer Christina Aguilera. Chaney went off and tried to break into Aguilera’s e-mail account, but with no success—so it was back to Harouche’s account for one last dodge.
On December 2, three weeks after the first break-in, Chaney hacked his way back into Harouche’s account. This time, he impersonated her, sending an e-mail to Aguilera in which he requested pictures of Aguilera wearing, as he would later admit to a federal judge, “very little clothing.”
Amazingly, she appears to have complied; Chaney soon released photos of Aguilera obtained from Harouche’s account onto the Internet.