Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Cloud Apple

Man Steals 620K Photos From iCloud Accounts Without Apple Noticing (latimes.com) 74

An anonymous reader quotes a report from The Los Angeles Times: A Los Angeles County man broke into thousands of Apple iCloud accounts and collected more than 620,000 private photos and videos in a plot to steal and share images of nude young women, federal authorities say. Hao Kuo Chi, 40, of La Puente, has agreed to plead guilty to four felonies, including conspiracy to gain unauthorized access to a computer, court records show. Chi, who goes by David, admitted that he impersonated Apple customer support staff in emails that tricked unsuspecting victims into providing him with their Apple IDs and passwords, according to court records. He gained unauthorized access to photos and videos of at least 306 victims across the nation, most of them young women, he acknowledged in his plea agreement with federal prosecutors in Tampa, Fla.

Chi said he hacked into the accounts of about 200 of the victims at the request of people he met online. Using the moniker "icloudripper4you," Chi marketed himself as capable of breaking into iCloud accounts to steal photos and videos, he admitted in court papers. Chi acknowledged in court papers that he and his unnamed co-conspirators used a foreign encrypted email service to communicate with each other anonymously. When they came across nude photos and videos stored in victims' iCloud accounts, they called them "wins," which they collected and shared with one another. "I don't even know who was involved," Chi said Thursday in a brief phone conversation. He expressed fear that public exposure of his crimes would "ruin my whole life."

The scam started to unravel In March 2018. A California company that specializes in removing celebrity photos from the internet notified an unnamed public figure in Tampa, Fla., that nude photos of the person had been posted on pornographic websites, according to [FBI agent Anthony Bossone]. The victim had stored the nude photos on an iPhone and backed them up to iCloud. Investigators soon discovered that a log-in to the victim's iCloud account had come from an internet address at Chi's house in La Puente, Bossone said. The FBI got a search warrant and raided the house May 19. By then, agents had already gathered a clear picture of Chi's online life from a vast trove of records that they obtained from Dropbox, Google, Apple, Facebook and Charter Communications. On Aug. 5, Chi agreed to plead guilty to one count of conspiracy and three counts of gaining unauthorized access to a protected computer. He faces up to five years in prison for each of the four crimes.

This discussion has been archived. No new comments can be posted.

Man Steals 620K Photos From iCloud Accounts Without Apple Noticing

Comments Filter:
  • If you wanted a bunch of photos of nube-ile youngsters, iCloud is probably the first place you'd think to look.
    • Wonder if this is why Apple recently started using AI to automatically scan for nude underage images. They will be notifying parents if their child's account contains them. I just wonder how many kids actually have their accounts linked to their parents and how many kids just made their own account and lied about their age.
      • That seems to be total nonsense. You are saying apple doesnâ(TM)t want you to upload kiddy porn so that miscreants stealing your password canâ(TM)t download it? In which alternative universe does that make sense?
  • by bloodhawk ( 813939 ) on Tuesday August 24, 2021 @07:12PM (#61726671)

    He expressed fear that public exposure of his crimes would "ruin my whole life."

    You mean like how you happily ruin others lives for profit by exposing nude photos. No matter big a moron they are for keeping that on a phone account you are filthy piece of shit that deserves to have their life ruined for the damage you do all in the name of personal profit.

    • You mean like how you happily ruin others lives

      I have no sympathy for this scumbag, but it is not true that he ruined the lives of others. The young women were blissfully unaware that their photos had been exposed until investigators informed them. Their lives were unaffected, not "ruined".

      • Re: (Score:3, Insightful)

        by Anonymous Coward
        The damage doesn't have to be now or even obvious. maybe in 5 years they go for a job yet mysteriously get rejected early in the process because someone in HR has found their nude photos, or perhaps it is their children at school in later years that finds it or worse the other children in the school their children go to. This is not something that can ever be undone and whether it causes damage now or later the potential is their for the rest of their lives.
        • Indeed. The problem is corporate reactions. And that person in HR used AI search to find the nudes.

          Indeed, it may not even be a person in HR. The initial CV scan just automatically searched for nudes of applicants. And not even that. Corporate HR employs a background checking service that simply reports "bad character" with no further details, and the application is rejected.

          While women would certainly be annoyed at having nudes they took published, it is most unlikely to directly ruin any lives. Even

          • Re: (Score:3, Insightful)

            by Anonymous Coward
            really depends on where you live, the community you are in and your employment. consequences range from a giggle to a potential death sentence and everything inbetween.
          • by AmiMoJo ( 196126 ) on Wednesday August 25, 2021 @06:53AM (#61727875) Homepage Journal

            Most people would find it quite distressing to know that intimate photos of them were shared with strangers, and people they know and work with.

          • While women would certainly be annoyed at having nudes they took published, it is most unlikely to directly ruin any lives. Even if work colleagues found out about them, they would have a giggle at the woman's expense, but hardly ruinous.

            Not necessarily. It depends on the person. Some people could shrug this sort of thing off and move on, other people could end up with PTSD over this and potentially end up committing suicide because of it. So yes, it could potentially be quite ruinous.

      • by stephanruby ( 542433 ) on Tuesday August 24, 2021 @07:45PM (#61726753)

        The young women were blissfully unaware that their photos had been exposed until investigators informed them. Their lives were unaffected, not "ruined".

        Some were unaffected. The keyword here is "some".

        Out of 306 victims, 200 of which were targeted because someone paid to have those accounts accessed. I'll bet some of those women were affected. After all, who would pay to access their account? Stalkers? Ex-boyfriends? Peeping toms? Celebrity stalkers? We don't know.

        And then, there are women who may have shared some of those images with their significant other (or shared their PIN with them). That means that if they saw those images appear online, they might have suspected their partner, or ex-partner.

      • by Somervillain ( 4719341 ) on Tuesday August 24, 2021 @09:03PM (#61726961)

        The young women were blissfully unaware that their photos had been exposed until investigators informed them. Their lives were unaffected, not "ruined".

        As someone else already pointed out, what if the photos are shared with their kids' classmates? What if they were posted publicly and word go out around their office? Ask your wife or last girlfriend how she'd feel if photos were shared in her office of her blowing you?

        It doesn't matter what you or I think. Their privacy was violated. I will bet the impact to them is much greater than you or I realize. I personally love my dick and think it looks nice. I wish I had more opportunity to show it off...maybe you feel the same way...but few women think like I do. No matter how harmless or hot you may think these photos are, these women are probably deeply embarrassed and feel vulnerability you and I will never understand.

        There are also many famous news stories about women who were fired after nudes were leaked, often by exes without their consent. I remember stories about court cases involving this going back to the 90s and even a very recent one about a mechanic who was fired because a coworker discovered she had an OnlyFans page and the dealership thought she was "too distracting" and fired her...for what she does in her personal time and never mentioned once in the office, nor was linked to her employer in anyway...because her male coworkers couldn't stop sexually harassing her once they saw her tits online.

        But even if your workplace is supportive, will this still be online in 5 years? What if she's a teacher? She has to wonder if every creepy smile from a student or even a dad is related to them seeing her naked. Same thing with any public-facing job: real estate, sales, just being a clerk at the store. I assure you that if your kid's teacher had nude pics online, a large percentage of the moms would get really angry. I am not sure why, but they're unusually threatened by that.

        This happened to a friend of mine. She has a distinctive face and tattoos. Her boyfriend uploaded pics of her to a porn site blowing and fucking him and apparently she was pretty popular. She was only 18 when the pics were taken and they were uploaded without her consent, like a year after she broke up with him. She got harassed constantly, once even in front of me, like 3 years after they were taken down. It made her life miserable and the guy never faced any consequences...this was long before "revenge porn" was in the lexicon. I still see her pics sometimes in random searches, now 15 years later. The original site shut down long ago, but the pics live on in file sharing services or just various scam sites that redistribute porn without permission under sketchy URLs.

  • and... (Score:4, Interesting)

    by fulldecent ( 598482 ) on Tuesday August 24, 2021 @07:19PM (#61726691) Homepage

    Meanwhile, 17 Apple employees that did the same exact thing were not found and did not get prosecuted.

    And in other news, Apple tricks over one billion people to upload their private photos without encryption to Apple.

    • Yeah, really. And I guess I'm a dinosaur or something but 306 victims and 620k photos? Jeez, do people you photograph and save every single event in your life?

      Also, awesome signature.
      • Right in the summary:

        A Los Angeles County man broke into thousands of Apple iCloud accounts and collected more than 620,000 private photos and videos in a plot to steal and share images of nude young women,

        That 306 probably refers to the people with compromizing shots.

      • Re: (Score:3, Funny)

        by EvilSS ( 557649 )

        Yeah, really. And I guess I'm a dinosaur or something but 306 victims and 620k photos? Jeez, do people you photograph and save every single event in your life? Also, awesome signature.

        Well to be fair 310K of those were accidental screen shots.

        • Sadly, when you double-accidental screenshot, the second one doesn't include the pop-up on the first one.

          I hope these words suffice for what I'm describing because I literally can't show you. lol

    • by fermion ( 181285 )
      How does Apple trick people into taking off their clothes and taking pictures of each other? Does Apple trick people into using insecure password and avoid two factor authorization. I have to authorize login with another device. Did Apple trick people into supplying passwords to random people on the phone, or does every major corporations tell people not to do this. It is like every email says to ot to supply the code to anyone, even though we hear stories of all someoneâ(TM)s money being stolen beca
      • Re: (Score:2, Insightful)

        by fulldecent ( 598482 )

        It tricks you by giving you a default "yes" button which it uses dark patterns to you trick you into pressing. And that button is iCloud and it uploads all your photos from past present and future for Apple to have in unencrypted format.

        Yes, Apple tricks you into having an insecure password and not two-factor auth. It does this by A) requiring you to type in your password every time you buy something, rather than using autosave like every other app (unless using biometrics); B) by making two-factor auth ann

        • by Anonymous Coward

          you are so fucking stupid and nothing you wrote is correct or true.

          • So in your world:

            - Constant nags to set up iCloud is not a dark pattern
            - Apple encrypts your photos with end-to-end encryption (i.e. the Fappening didn't happen)
            - Apple accounts are only secured with strong passkeys like your FileVault 2 key or your Bitcoin wallet
            - Everybody poops without taking off their pants
            - When people buy a phone they think "this is an 1984 device, I should never do anything private near it"

      • Sensible caution & expectations of privacy on the part of users interferes with corporate profits. As long as this is true, we will continue to see stories like this. I think Apple's corporate lawyers are mostly worried about being properly regulated since they no doubt host a lot of pornographic material, including child porn made by school children.
    • Where does that information about 17 Apple engineers come from? The same source as your Covid vaccine information? Link to a reliable source or you made it up.
      • 17 is an approximate figure.

        My source is common sense and related facts.

        NSA employees have access to most everybody's emails and phone records on Earth. And they admitted to several cases of employees snooping on lovers https://www.cnet.com/news/nsa-... [cnet.com]

        Apple has much more private information available, unencrypted, in its iCloud system. So naturally there at least that many people at Apple tempted to spy on at least their lovers.

  • I feel like (Score:2, Insightful)

    by dicobalt ( 1536225 )
    All users should be required to take a best practices security test before being allowed to use an internet connected device. Sort of like a driver's license. A car being driven incorrectly can cause significant damage, but the same goes for internet connected devices. Simple things like never ever ever tell anyone your password. Don't open attachments unless you expected to receive them or if they have multiple file type extensions. Simple stuff, and users should also demonstrate a knowledge of the consequ
  • Why should anyone care about his life getting ruined when he tried to or succeeded in ruining other people's lives? He has no empathy for others, yet expects a bunch when he's in a predicament.

  • by godel_56 ( 1287256 ) on Tuesday August 24, 2021 @07:34PM (#61726729)

    Investigators soon discovered that a log-in to the victim's iCloud account had come from an internet address at Chi's house in La Puente, Bossone said.

    Smart enough to rip people off, not smart enough to use a VPN or Tor.

  • should be enough for anyone.

  • Downloads, not so much.

    Downloads probably aren't "scanned" for "inappropriate" content either.

    So it goes.

  • by Petersko ( 564140 ) on Tuesday August 24, 2021 @07:44PM (#61726751)

    He didn't break in. He phished his way in on such a small scale I wouldn't expect Apple to notice. If they had, and had initiated any response, the false positives would be incredibly annoying for the innocent.

    • Re: (Score:2, Insightful)

      by AmiMoJo ( 196126 )

      Apple seems to make very little effort to secure customer accounts. If you don't have 2FA set up on Google they bug you about it until you relent, and you get multiple notifications (every Android device and email and SMS if you registered your number) when a new machine logs in for the first time.

      Apple seems happy with just an email address and password, and doesn't even seem to enforce minimum standards for password complexity.

      • Minimum password complexity is the responsibility of the user.

        • by AmiMoJo ( 196126 )

          I'm sure Apple would agree, which is the problem. They built a service that contains all your private data, heavily marketed it, and then made only the most superficial attempt to secure it.

  • I hope it does fucker.
  • 620K ought to be enough for anybody.
  • "... in a plot to steal and share images of nude young women,

    That was what he told the police.

    What he really wanted was to find images of nude old men.

  • by LenKagetsu ( 6196102 ) on Wednesday August 25, 2021 @06:26AM (#61727825)

    Apple customer support staff in emails that tricked unsuspecting victims into providing him with their Apple IDs and passwords

    People are told, repeatedly, "We will not ask for your password", everyone is told "Do not give out your password". It says on the fucking site "Never provide your password, security questions, verification codes, recovery key, or any other account security details to anyone else. Apple will never ask you for this information." [apple.com]

    People who give out their passwords should be treated to a recreation of the footlocker scene from Full Metal Jacket and the subsequent ass-beating.

  • by ZorinLynx ( 31751 ) on Wednesday August 25, 2021 @08:24AM (#61728151) Homepage

    >he impersonated Apple customer support staff in emails that tricked unsuspecting victims into providing him with their Apple IDs and passwords

    All the security in the world won't help if you hand your keys to the first moron who comes along claiming he's a locksmith.

    • While I agree people need to be careful, user vigilance is not sufficient.
      • You know those phishing emails which say there's a problem with your eBay account, please click this link and login to fix it? Only an idiot would fall for those, right? Well I'm pretty vigilant, and I fell for it. How? Because I got one of them within minutes of winning a bid on eBay, and it blended in with the other eBay notifications I got saying I'd won, and what I had to do next. The phishing email said there was a problem wit
  • It appears this isn't Hao Kuo Chi's first time with committing a computer-related crime. https://www.latimes.com/archiv... [latimes.com]

After all is said and done, a hell of a lot more is said than done.

Working...