'Photofucket' devs arrested for selling their pic-stealing app
Years before stolen pictures of celebs hit the internet in a massive bundle, news that Reddit posters were searching for private photos popped up under the term "fusking." As detailed by Buzzfeed in August of 2012, Reddit channels were dedicated to using a security flaw in Photobucket.com to search for pictures posted in private folders. If anyone on the internet knew (or could guess) a private photo's direct URL it was visible, and guessing the default filename of digital photos isn't very difficult. Today the US Department of Justice is announcing the arrest of two men for selling "Photofucket" software that it says stole guest passwords for protected albums and sought out those private pictures.
Brandon Bourret of Colorado and Athanasios Andrianakis of Californias are facing charges of "computer fraud and abuse, access device fraud, identification document fraud and wire fraud." Access device fraud carries the longest potential penalty, with up to ten years in federal prison and a $250k fine per count. According to the indictment (PDF), evidence against Bourret and Andrianakis includes emails they sent discussing exploits, customer service messages to Photofucket buyers, and Paypal transfers to fund the operation.
Back in 2012, many users of the picture sharing site -- who may have uploaded photos years earlier for sharing on early social networks like Myspace or Friendster -- had no idea that marking a folder private only hid the folder. At the time Photobucket announced that all new accounts would have their links scrambled by default, as well asan option to scramble links for existing users. It's unclear if that helped stem the tide of the hackers for those who even knew about it, and the originally revealed Reddit channels are marked private now. Investigation of the breach and the accounts that were accessed is ongoing, but if you have any old albums gathering dust it's probably well past time to up their protection or delete them entirely.