Earlier this week, twenty-nine year old Andrew Helton was sentenced to six months in prison for hacking hundreds of Apple and Google accounts including many of celebrities  and stealing 161 nude or partially nude photos from thirteen people.  I first reported to you about Helton when he pleaded guilty to the hacking charges in February of this year.

Between March 2011 and May 2013, Helton used a simple phishing scheme to steal the usernames and passwords of 363 Apple and Google email accounts including those of many celebrities.  Once he had access to his victims’ email accounts he was able to access all of the contents of their email accounts including 161 sexually explicit or nude images of thirteen of his victims.  It should be noted that Helton did not post any of the stolen photos online and his case is totally unrelated to the stealing and posting of nude photos of celebrities including Jennifer Lawrence and Kate Upton that occurred in September of 2014 although a similar phishing tactic was used to obtain the usernames and passwords of the victims.

Helton obtained the usernames and passwords of his victims by sending emails to his victims that appeared to come from Apple or Google in which his victims were asked to verify their accounts by clicking on a link which took them to a website that appeared to be a login page for Apple or Google.  Once they entered their information, Helton had all that he needed to access his victims’ accounts.  It is interesting to note that in a letter to the court, Helton emphasized his lack of computer talent saying, “There was no expertise involved.  All I did was essentially copy and paste.” Even the email addresses of his targets were obtained from easily accessed contact lists online.  The fact that such havoc could be spread by someone without having particular computer skills points out how easily any of us can be victimized if we do not take proper precautions.


The type of phishing scam used by Helton is one used by many other scammers and it is easy to defend against.  Always be skeptical when you are asked to provide your personal information, such as your user name, password or any other personal information in response to an email or text message.  Trust me, you can’t trust anyone.  Always look for telltale signs that the communication is phony, such as bad grammar or the sender’s email address which may not relate to the real company purporting to send you the email.  Beyond this, even if the email or text message appears legitimate, it is just too risky to provide personal information in response to any email or text message until you have independently verified by contacting the company that the communication is legitimate.

In addition, you should not store personal data or any photos or other material on your email account. Store such data in the cloud or some other secure place.