A 30-year-old man in Phoenix is about to spend six months in prison for cybercrimes that seem to prove many password reset managers may not be secure.
In this case, it was an email password reset tool that Jonathan Powell took advantage of at a New York University.
According to the U.S. Attorney's Office in New York, he was able to reset 1,378 passwords belonging to college students:
“Jonathan Powell used his computer skills to breach the security of a university to gain access to their students’ personal accounts. Once Powell had access, he searched the accounts for compromising photos and videos."
He used the compromised student email accounts to search linked accounts, as well. These were password-protected email, social media, and online accounts to which the compromised accounts were registered, including, but not limited to: Apple iCloud, Facebook, Google, LinkedIn, and Yahoo.
Prosecutors also say he used this same type of tool to compromise other universities:
"Additional investigation revealed that Powell had also compromised 15 email accounts hosted by a second university located in Pennsylvania. In a post-arrest statement made to investigating agents, Powell additionally admitted to compromising email accounts at several other educational institutions located in Arizona, Florida, Ohio, and Texas."
This raises a serious question: can someone from outside your organization use your email password reset tool?
