Former Yahoo engineer admits using his access to steal users’ sexual images

A large sign reading,
Enlarge / A sign outside a Yahoo corporate building in Los Angeles.

A former Yahoo software engineer has pleaded guilty to hacking into thousands of users’ accounts in search of sexually explicit images and videos and other types of private data.

Reyes Daniel Ruiz on Monday admitted to using his access as a Yahoo engineer to compromise about 6,000 user accounts, federal prosecutors said. The engineer, now 34, cracked user passwords and accessed internal Yahoo systems to access the accounts. He told prosecutors he targeted accounts belonging to younger women, including personal friends and work colleagues.

He used his access to the Yahoo accounts to compromise victims’ accounts on other services, including iCloud, Facebook, Gmail, and Dropbox, in search of additional private images and videos. After a former employer observed suspicious account activity, Ruiz admitted to destroying the computer and hard drive he used to store the private data, prosecutors said.

Ruiz was indicted in April on one count of computer intrusion and one count of interception of a wire communication. The indictment said that, from May to June 2018, he accessed at least 18 email accounts “thereby obtained personal information, including private photographs and videos, which defendant downloaded and kept for his own personal purposes.” Prosecutors at the time also alleged Ruiz intercepted or tried to intercept email on about 37 Yahoo/Oauth email accounts.

Ruiz’s LinkedIn account showed that he worked at Yahoo for almost 11 years. The account shows that in October 2018, he went on to become a senior engineer at Okta, a San Francisco-based company that does access management. An Okta representative told news site Motherboard that Ruiz worked there for six months and that all of the actions stemming from the charges occurred before he joined the company.

Ruiz is currently on release on conditions of a $200,000 bond. He faces a maximum five years in prison and a $250,000 fine, plus restitution. Sentencing is scheduled for February 3.

https://arstechnica.com/?p=1578031