NEW YORK (Reuters) - An Arizona man was arrested on Wednesday on charges that he hacked into over 1,000 email accounts for students and others at two universities, including Pace University in New York, and tried to do the same at 75 other higher-education institutions.
Jonathan Powell, a 29-year-old Phoenix resident, was arrested based on a criminal complaint filed in federal court in Manhattan charging him with fraud in connection with computers, according to prosecutors.
According to the complaint, Powell used password reset tools to try to access thousands of email accounts at two universities in New York and Pennsylvania, successfully changing the passwords for 1,050 accounts.
Prosecutors said he went on to compromise social media and other accounts at online services such as Facebook, LinkedIn and Google that were linked to the university email accounts, and mined those accounts for users’ confidential information.
Manhattan U.S. Attorney Preet Bharara said Powell also searched their photos for “potentially embarrassing content”. In one instance, he searched a students’ Gmail account using the key words “naked” and “horny”, the complaint said.
“This case should serve as a wakeup call for universities and educational institutions around the country,” Bharara said in a statement.
A lawyer for Powell did not respond to a request for comment. He was arrested in Arizona on Wednesday morning and released following a hearing in federal court in Phoenix later in the day, according to court records.
While authorities did not name the universities at issue, Pace University confirmed in a statement it was the New York university mentioned in the complaint. In the statement Pace University said it contacted the Federal Bureau of Investigation and Bharara’s office after discovering the security breach.
The biggest victim in the case appeared to be Pace University, where according to prosecutors, Powell since at least October 2015 attempted to change the password for 2,054 accounts, succeeding with 1,035 of them.
In September, he tried to change email passwords for 220 of the Pennsylvania university’s accounts, succeeding with 15, prosecutors said.
He also accessed student directories and login portals for more than 75 other colleges, they said.
Reporting by Nate Raymond in NEW YORK; Editing by Chris Reese and Alan Crosby