Man posing as Apple support rep scoured hundreds of iCloud accounts for nude images

For about four years, a Los Angeles county man was able to steal hundreds of thousands of photos and videos from iCloud accounts of young women across the US. While he didn’t break iCloud security to do so, this is an important reminder to never give up your Apple ID credentials to anyone and use two-factor authentication to prevent unauthorized access to your account.

Back in 2014, Apple faced one of the biggest security blunders in the company’s history when a group of hackers managed to exploit iCloud accounts of over a hundred celebrities and got access to their private photos and videos. Several men have since been found responsible for the incident, which culminated with the dissemination of the private content around the web.

Even though Apple never admitted to an actual iCloud breach, it is believed this was made possible by lenient security practices which allowed brute-force password guessing.

Fast forward to today, and a California man has pled guilty to no less than four felony charges after he broke into thousands of iCloud accounts with the aim of stealing nude images of women. According to a report from Los Angeles Times, Hao Kuo Chi admitted he had impersonated members of Apple customer support to fool his victims into sharing their Apple ID credentials over email.

Court documents reveal that 40-year-old Chi stole over 620,000 private photos and 9,000 videos that he then hosted on his personal Dropbox account to sort out the “win” images from the rest. In order to do this, he didn’t breach any of iCloud’s security protections, and instead used social engineering and phishing on over 300 victims across the US, most of them young women.

For years, Chi operated online under the nickname of “icloudripper4you,” and used two Gmail addresses where the FBI found over 500,000 emails and 4,700 iCloud credentials that victims had sent him. He didn’t work alone, although he maintains he doesn’t know the identity of his co-conspirators.

The scheme worked between 2014 and 2018, but immediately fell apart after Chi decided to share the private photos and videos online. Soon enough, a California-based company specializing in removing celebrity photos from the web notified an unnamed client that it had found a match on several pornographic websites.

Investigators had already been tracking Chi using data from several sources such as Apple, Dropbox, Google, Facebook, and Charter Communications, and eventually they were able to track down his home address. Chi pleaded guilty earlier this month, and faces up to five years in prison for each one of the four charges.