Attorney General Kamala D. Harris Warns About Identity Theft as Predator Pleads Guilty to Hacking Hundreds of E-Mail Accounts

Thursday, January 13, 2011
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

SACRAMENTO – A Citrus Heights computer hacker pleaded guilty to seven felony charges for breaking into hundreds of women’s e-mail accounts, the sort of identity theft crime that Californians should take steps to protect themselves against, according to Attorney General Kamala D. Harris.

“This case highlights the fact that anyone with an e-mail account is vulnerable to identity theft,” Attorney General Harris said. “One of the major goals of my office is to track down and prosecute every criminal who would stoop to stealing people’s identities.”

George Samuel Bronk, 23, of Citrus Heights, faces six years in state prison after entering guilty pleas today in Sacramento Superior Court to seven felonies including computer intrusion, false impersonation and possession of child pornography. Bronk will have to register as a sex offender. He will return to court on March 10 for further proceedings relating to his sentence.

From December 2009 through September 2010, Bronk accessed e-mail accounts and Facebook pages of people in 17 states, as well as residents of England. He essentially found answers to the women’s e-mail security questions in information they had posted on their Facebook sites.

Bronk targeted his victims by scanning Facebook for women who also posted their e-mail addresses there. He then contacted the woman’s e-mail service, pretending he was the legitimate customer, and claimed to have forgotten the password. Bronk was able to correctly answer security questions posed by the e-mail service by finding the answers on victims’ Facebook pages.

Some of the security questions posed by e-mail providers included, “What is your high school mascot?” “What is your father’s middle name?” “What is your favorite food?” and “What is your favorite color?”

Once Bronk gained access to the e-mail account, he changed the password and the victim was locked out.

Bronk searched the victim’s “sent mail” folder for nude or semi-nude photographs and videos, which he often sent to the victim’s entire e-mail address book. He also gained access to some victims’ Facebook accounts by clicking the “Forgot Your Password?” link and asking for a new password to be sent to the victim’s e-mail account, which he now controlled. In many cases, he posted the photographs to victims’ Facebook pages and to other Internet sites and made comments on the Facebook sites of friends.

Bronk messaged one victim that he had taken over her e-mail account “because it was funny.” In an online chat session with another victim using the name “xogreeneyesx3,” Bronk demanded the victim send him more explicit photographs or he would post the photographs he already had more widely. The victim complied.

The investigation began after one victim contacted the Connecticut State Police, and the agency then contacted the California Highway Patrol because the suspect appeared to be operating here. The CHP requested the Attorney General’s assistance.

On the hard drive of Bronk’s desktop computer, which was confiscated from his Citrus Heights’ home during a search in September, investigators found more than 170 files containing explicit photographs of women, including a film actress, whose e-mail accounts he had commandeered. Finding victims, however, proved a challenge. CHP and Attorney General agents were able to use location tagging information embedded on the photographs on Bronk’s hard drive to assist in identifying victims, and e-mailed 3,200 questionnaires to potential victims asking them to come forward.

Some 46 victims did, including one who described Bronk’s actions as “virtual rape.”

Bronk was arrested in October and has been held since then on $500,000 bail.

Attorney General Harris reminded users of e-mail and social networking sites that security questions and answers need to be as secure as passwords. There are steps people can take to avoid being victimized by “security question” hacks. These steps include:

•Pick security questions and answers that do not involve any personal information that is available from social networking sites or any other sites.

•Try to switch the security questions you choose for password protection on e-mail services and social networks.

•Add numbers or special characters to your security answers. For example, the question 'What was the name of your High School' could be answered “Middle02High@School.”

Joining the Attorney General’s office in this investigation were the Sacramento Valley Hi-Tech Crimes Task Force, the CHP, and the Connecticut State Police. The Attorney General’s office prosecuted the case.

For more information about identity theft, please see http://ag.ca.gov/idtheft/.

The arrest warrant and complaint are attached at the Attorney General’s website www.ag.ca.gov.

# # #