A 23-year-old California man is set to appear in court Tuesday, after police say he broke into the Web mail accounts of more than 3,000 women and posted sexually explicit images of many of them on Facebook.
George Samuel Bronk was arrested Friday following an investigation involving federal authorities and the California Highway Patrol’s Computer Crimes Investigation Unit. He is set to be arraigned Tuesday afternoon in Sacramento County Court.
Investigators were tipped off after a Connecticut woman contacted local police saying that someone had posted sexually explicit photographs of her to her Facebook page. The photos had apparently been taken from a hacked Web mail account.
Investigators then linked the IP (Internet Protocol) address used to access the hacked accounts to Bronk’s computer. They raided his Citrus Heights, California, home on Sept. 24 and discovered evidence that there may be thousands of victims, according to Sergeant Kelly Dixon, of the CHP’s Computer Crimes Unit. Police also found images of child pornography on the computer, he added.
The case shows how the information stored on social media sites can be misused, and ultimately turned against victims. Police believe that Bronk broke into about 3,200 Web mail accounts by guessing the answers to password reset questions used by services such as Gmail, Yahoo Mail and Microsoft’s Hotmail. “He didn’t know any of them; he just apparently had a lot of time on his hands,” Dixon said. “He would just search Facebook, look at females, and glean information.”
He allegedly found the sexually explicit photos stored in the Web mail accounts, and then used his control over the victim’s email address to access Facebook.
Police have now positively identified 20 victims, but are sill looking for more. They believe that Bronk posted images to between 170 and 176 Facebook pages, and also e-mailed them to the victim’s friends.
Some of the photos were “very sexually explicit,” and at least one case involves a video, Dixon said. “The victims that have been contacted were mortified,” he said.
The California Office of the Attorney General is attempting to locate victims, Dixon said.
Bronk is facing a 30-count indictment that charges him with hacking, possession of child pornography and felony impersonation. He could not immediately be reached for comment.
Computer security experts have known for years that the password security questions that Bronk is alleged to have guessed are a weak link in online security. In 2008, a college student named David Kernell guessed the answer to some of these questions using information he’d found on the Internet and was able to break into the Yahoo Mail account of Alaska Governor Sarah Palin. Kernell is set to be sentenced for that crime in Nov. 12.
Kernell found a lot of his information on Wikipedia, which has a detailed entry on Sarah Palin. But with Facebook, some of this data can be dug up on non-celebrities too.
“Sometimes individuals out there put too much personal information that is accessible to the public,” Dixon said. “People should protect their security password questions as vigorously as they protect their passwords.”
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is firstname.lastname@example.org