PLATTSBURGH — Two former SUNY Plattsburgh students have been connected to a case involving the theft of private nude photos from college students.
Nicholas Faber, 25, a Rochester native and SUNY Plattsburgh class of 2017 alumnus, pled guilty to computer fraud and aggravated identity theft Monday, according to a news release by the Northern District of New York.
Faber admitted that from 2017 to 2019, he and Michael Fish, also a SUNY Plattsburgh alumnus, accessed dozens of female students' emails, some of whom they knew.
SOLD NUDE PHOTOS
From there, they gained access to social media accounts on Snapchat and Instagram, where they were able to see and save nude photos and videos, which they sold and traded, the release said.
Faber faces up to 12 years in prison, a $250,000 fine and three years of post-imprisonment supervised release. Faber also agreed to pay $35,430 in restitution to SUNY Plattsburgh, the release said.
“We are pleased to see these cases brought and the guilty pleas filed,” SUNY Plattsburgh President Dr. Alexander Enyedi said in an email sent to students about the case Wednesday.
Faber was identified as a co-conspirator in the case after a Federal Bureau of Investigation probe, which included examination of Fish's personal devices and interviews, University Police Chief Patrick Rascoe said.
SUNY Plattsburgh University Police, which started the investigation, contacted 79 students directly to warn them about how their information may have been stolen by Fish, the chief said.
The department's investigation into Fish began in the spring of 2019 after the college's Library and Information Technology Services (LITS) department noticed strange activity from a student's email.
A range of IP addresses that were not from campus servers were accessing the account and had requested multiple password resets, Rascoe said. A deeper dive by University Police showed that other student emails were also accessed by the same IP addresses.
The department was able to block those IP addresses but not subpoena them because they were VPNs — secure connections that allow users to encrypt traffic data — from Canada, Rascoe said.
'A STROKE OF LUCK'
But University Police was able to block enough of the addresses to the point where Fish used his cell phone, which gave them a direct line to him.
“It was a stroke of luck,” Rascoe said.
From there, police worked with New York's Cyber Crimes Unit and Albany's FBI Cyber Crimes Unit.
“They adopted the case, and we had a cooperative investigation from that moment on,” Rascoe said.
A search warrant was placed, which led about a dozen officers made up of federal, state and university police to Fish's Albany residence, Rascoe said.
University Police then gathered campus access logs and conducted interviews to further assist the investigation, he continued.
At that time, Duo, a multi-factor authentication software, was available for campus log-ins for those who requested it.
After the Fish and Faber's break-ins, Duo was implemented campus-wide, Rascoe said.
Since then, Holly Heller-Ross, dean and CIO of LITS, said the college has not experienced a similar break-in attempt.
Fish also pleaded guilty to computer hacking, aggravated identity theft and child pornography offenses. He is scheduled to be sentenced March 19, the release said.