'Celebgate' iCloud hack perpetrator sentenced to 34 months in prison

By Malcolm Owen

A hacker who pleaded guilty for his part in the 'Celebgate' hack, involving phishing for credentials and attempting to access more than 200 iCloud, Yahoo, and Facebook accounts controlled by celebrities and other users, has been sentenced to almost three years in prison.

The U.S Attorney's Office for the Eastern District of Virginia advises Christopher Brannan, 31, of Richmond was sentenced on Friday for participating in the social media and cloud storage hacking event known as "Celebgate." Branna, a former high school teacher, pleaded guilty in October to charges of unauthorized access to a protected computer and aggravated identity theft.

While the crimes were punishable by a maximum of seven years in prison, a plea agreement with Brannan led to the United States making a non-binding recommendation to the court that he be sentenced to 34 months in prison, a decision agreed upon by Senior U.S. District Judge Henry E. Hudson at sentencing.

Court filings advise Brannan accessed online accounts for Apple's iCloud, Yahoo, and Facebook, allowing him to acquire complete iCloud backups, photographs, and other private information from more than 200 victims. The "Celebgate" name refers to the fact that some of the people targeted in the campaign were famous.

Brannan acquired access in a variety of ways, including simply answering security questions in forgotten password systems that could be easily answered by reviewing the victim's other public social media accounts. He also used phishing to acquire credentials, using email addresses that looked as if they were legitimate security accounts from Apple.

The teacher is not the only person to receive punishment for "Celebgate," as last year George Garofano was sentenced to eight months in prison followed by three years of supervised release for accessing more than 200 iCloud accounts. In 2017, Edward Majerczyk received nine months in prison and paid $5,700 to one victim for hacking into more than 300 iCloud and Gmail accounts.

The first person sentenced for the attack in 2016, Ryan Collins, received 18 months for accessing 50 iCloud accounts and 72 Gmail accounts.

The Celebgate ordeal surfaced in 2014, with the discovery of a cache of nude photographs and video belonging to prominent figures in the entertainment business, likely shared via the dark web before surfacing on the more public BitTorrent and other file-sharing services.

Apple investigated the event, which was initially and incorrectly blamed on an iCloud security breach that Apple strongly denied. Further investigation determined the attacks were accessed via social engineering, not by security flaws.