Two men have been arrested after breaching the computer services of Colorado based Photobucket, a company that operates an image and video hosting website. Brandon Bourret, 39, of Colorado Springs, Colorado and Athanasios Andrianakis, 26, of Sunnyvale, California, were arrested today without incident at their homes.
According to the indictment, beginning on July 12, 2012 and continuing through July 1, 2014, Bourret and Andrianakis knowingly conspired to commit acts and offenses against the United States, namely computer fraud and abuse, access device fraud, identification document fraud and wire fraud. The indictment further alleges that there was interdependence among the members of the conspiracy.
The purpose of the conspiracy was for the conspirators to enrich themselves by selling passwords and unauthorized access to private and password protected information, images and videos on the Internet and by selling private and password protected information, images and videos that the conspirators obtained from the Internet.
The conspirators developed, marketed and sold a software application called Photofucket, which allowed viewers to circumvent the privacy settings of the image and video hosting website at Photobucket.com and to access and copy users private and password protected information, images and videos without authorization. The conspirators used Photofucket to obtain guest passwords to access users’ password protected albums. They also transferred, or caused to be transferred, guest passwords to others who paid to use the Photofucket application.
The investigation regarding the breach and who’s albums were accessed is ongoing. The U.S. Attorney’s Office and the FBI commended Photobucket for their cooperation from the inception of the investigation.
Bourret and Andrianakis both face one count of conspiracy, which carries a penalty of not more than five years in federal prison and up to a $250,000 fine. They each face one count of computer fraud, aid and abet, which also carries a penalty of not more than five years in federal prison and up to a $250,000 fine. Finally, they each face two counts of access device fraud, which carries a penalty of not more than ten years in federal prison, and up to a $250,000 fine, per count.