Two graduates of the State University of New York (SUNY) Plattsburgh, Nicholas Faber and Michael Patrick Fish have pleaded guilty to computer fraud and aggravated identity theft charges related to their their hacking into online accounts of 79 students at SUNY Plattsburgh and then trading those photos and videos with other hackers on the Dark Web, that part of the Internet where criminals buy and sell goods and services.  Hacking into online accounts of women and stealing nude photos and videos has been a problem for years, most notably when hackers stole nude photos form the iCLoud accounts of a number of celebrities including Jennifer Lawrence and Kate Upton.

In this case, Faber and Fish first hacked into the email accounts of their victims and from there gathered information including the passwords of their victims’ Snapchat, Instagram and iCloud accounts from which they were able to steal the compromising photos and videos.  It appears that the hackers were able to hack into the accounts by sending spear phishing emails that lured their victims into providing their passwords or clicking on links that downloaded keystroke logging malware that would enable the hackers to gather the passwords from their victims’ computers and phones.

Faber and Fish will be sentenced later this year.


There are a number of lessons to be learned from this crime about how to protect our own security.    It is important to resist providing your username and passwords in response to emails and text messages unless you have absolutely and independently confirmed that the request is legitimate. You also shouldn’t click on links in emails and text messages regardless of how legitimate they may appear unless you have absolutely confirmed that the communication is legitimate.  The risk of downloading malware is too great.

The first step in protecting your privacy is using a strong and unique password for each of your online accounts.  For information about how to pick a strong password, you can go to the archives of and type in “strong password.”  You also can use a password manager.

In addition, at least one of the victims of Faber and Fish had her email password changed by the hackers.  This is generally accomplished when someone answers your security question and becomes able to change your password.  Enterprising hackers are able to change passwords of their intended victims by answering a security question which then enables them to change the victim’s password and take over the account.  This was what happened years ago to Sarah Palin when a hacker answered the security question for her email account and was able to change the password and take over the account.  Her question was where did she meet her husband and the answer was Wasilla High School which was found by the hacker by going to Sarah Palin’s Wikipedia page.  You may think that you are not famous and that information to answer your security question is not readily available, but you might be surprised by both how much personal information you and others post about you on social media that could be used to provide the answers to you security questions as well as the wide array of information about you that is available online such as your mother’s maiden name which is a common security question.  The solution to this problem is simple.  When you initially set up your security question, use a nonsensical answer.  Thus the answer to your mother’s maiden name question could be “firetruck.”  It is silly enough for you to remember and no hacker will ever be able to guess it.  You should also use dual factor authentication whenever possible to provide a much greater level of protection even if your password is compromised, such as through a data breach.

Also, take advantage of the dual-factor authentication protocols.  With dual-factor authentication, your password is only the starting point for accessing your account.  After you have put in your password, the site you are attempting to access will send a special one-time code to your cellphone for you to use to be able to access your account.  In some instances, the companies will only send the code to you if your account is being accessed from a different device than you usually use to access your accounts.  Had the victims of Faber and Fish used dual-factor authentication, they would still have their privacy.

It is also important to note that merely because you think you have deleted a photograph or video from your cellphone, that may not be accurate. Cellphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your cellphone to prevent your photos from automatically being preserved in the cloud.

For those of you receiving the Scam of the day through an email, I just want to remind you that if you want to see the ever increasing list of Coronavirus scams go to the first page of the website and click on the tab at the top of the page that indicates “Coronavirus Scams.”  Scamicide has been cited by the New York Times as one of three top sources for information about Coronavirus related scams.

If you are not a subscriber to and would like to receive daily emails with the Scam of the day, all you need to do is sign up for free using this link.