dana liebelson

Dana Liebelson

Reporter

Dana Liebelson is a reporter in Mother Jones' Washington bureau. Her work also appears in Marie Claire and The Week. In her free time, she plays electric violin and bass in a punk band.

Get my RSS |

Advertise on MotherJones.com

Did Your Spouse Pay These Guys to Hack Your Email Password?

| Tue Jan. 28, 2014 7:00 AM EST

If you're in a monogamous relationship and you come home at 4 a.m. with no explanation, your significant other may wonder where you've been. According to the FBI, some jealous lovers are going straight to the nuclear option: hiring hackers to find your email password. 

On Friday, federal prosecutors charged two Arkansas men, Mark Anthony Townsend and Joshua Alan Tabor, with operating a business that illegally obtained email passwords for customers who hoped to catch cheating spouses. The pair's company, needapassword.com, breached nearly 6,000 email accounts, including some hosted by Google and Yahoo, according to the indictments. Townsend, 49, allegedly established the website, which operated as recently as July 2013 and asked $50 to $350 per password. Tabor, 29, allegedly helped Townsend hack into the accounts. Both men are charged with accessing a protected computer without authorization and facilitating further access by others, a felony that carries a five-year prison sentence.

"Is your spouse cheating with someone? Do you know who they are? You have the right to read the personal thoughts your spouse is writing to others," Townsend and Tabor's website advertised last April, according to the FBI. The men allegedly offered to obtain passwords to Hotmail, Yahoo, AOL, Gmail and other accounts. (You can view a version of the site here.) Tabor and Townsend were caught hacking into Yahoo and Gmail accounts, according to the indictments. Attorneys for the two men did not respond to requests for comment Monday.

In the indictments, the FBI notes that the scheme was dependent on a target logging into his or her email and checking it. A Google spokeswoman says that it appears that its servers weren't directly hacked; instead, users' individual Gmail accounts were hijacked using a technique called spear phishing, in which a hacker sends a fake email that tricks an account owner into providing sensitive information. "We have a wide variety of protections in place at all times to guard our users against account hijacking," the Google spokeswoman said. A Yahoo spokeswoman adds, "Yahoo takes the security of our users very seriously."

After gaining access to an email account, the hackers would send a screenshot of the inbox to the customer as proof, and then solicit payment via Paypal for the password, according to the indictment. One bank account the FBI believes to be associated with the defendants received approximately $150,000 in about a year and a half. According to the FBI, Townsend used a computer system that belonged to the fire department in his home town of Cedarville, Arkansas, where he was a volunteer for the local search and rescue team.

The FBI notes that the scheme wasn't always successful: An agent from the Los Angeles field office interviewed a customer identified in the indictment and search warrant as, "J.B.," who suspected her boyfriend of not being faithful. She signed up for the site, but received a message saying that although the site had obtained a password, it wasn't working: "Maybe he typed it wrong or he's suspicious."

The feds aren't just cracking down on people who allegedly do the hacking, they're going after customers too: indictments unrelated to the "needapassword" case were issued last week against three Americans who paid between $1,011 and $21,675 to hackers in order to obtain email passwords.

Read the FBI's search warrant on the case here: 

 

Here's Why Obama's Surveillance Transparency Deal With Tech Companies Doesn't Matter

| Mon Jan. 27, 2014 8:06 PM EST

Update (1/28/14): See below.

On Monday, the Obama Administration announced that it's going to start allowing tech companies to disclose more information about the number of national-security related demands the government makes for user information. On the surface, this seems like a government-transparency victory. But compared to the extensive recommendations made by lawmakers, privacy advocates, and the president's own government surveillance advisory board, the change actually does very little to shed light on the nature or extent of the government's requests for personal data.

Up until now, tech companies have only been allowed to report a very rough figure on the number of national security letters they receive, and the number of users affected. (The FBI and other agencies use these secret requests to force businesses to hand over certain customer records.) Meanwhile, firms like Google, Facebook, Yahoo, and others have been forbidden from sharing any information on orders they receive via the Foreign Intelligence Surveillance Act (FISA) court. Now, the New York Times reports:

Companies will be able to disclose the existence of FISA court orders. But they must choose between being more specific about the number of demands or about the type of demands. Companies that want to disclose the number of FISA orders and national security letters separately can do so as long as they only publish in increments of 1,000. Or, companies can narrow the figure to increments of 250, but only if they lump FISA court orders and national security letters together.

"It's a pretty absurdly tiny incremental increase in transparency," Julian Sanchez, a research fellow at the Cato Institute who focuses on privacy and civil liberties issues, tweeted Monday. Not only are tech companies still barred from reporting the government requests they receive in real time—there's a six-month delay—but the information they are now allowed to disclose still tells Americans little about the requests the government is making. For example, the administration's now policy only allows FISA orders to be reported under "content" and "non-content" categories. And the number of accounts affected can still only be disclosed in ranges of 1,000. 

This week, Apple CEO Tim Cook reiterated that, "We need to say what data is being given," after revealing that his company is under a government gag order. The president's surveillance advisory board recommended in December that he reform the process by requiring judicial approval before sending national security letters. (Judicial approval is currently not required.) And members of Congress have introduced a bill that would limit the kinds of records that can be obtained. But the administration has yet to take meaningful steps at surveillance reform.

UPDATE, Tuesday, January 28, 2014: Nate Cardozo, staff attorney at the Electronic Frontier Foundation, sent Mother Jones another reason Obama's announcement doesn't go far enough: "The deal won't allow the companies to disclose which legal authorities the government is using in the Foreign Intelligence Surveillance Court. We need that information especially, since we're currently trying to reform those very laws. True transparency—as well as the First Amendment—requires that companies be allowed to map the scope of the United States government's surveillance apparatus, including the legal authorities it claims to rely on."

Fri Nov. 22, 2013 1:26 PM EST
Fri Nov. 1, 2013 11:31 AM EDT
Wed Jun. 18, 2014 6:00 AM EDT