Two men accused of hacking photo-sharing service Photobucket.com, Inc. were indicted and arrested Friday by the Federau Buerau of Investigation (FBI.)

Brandon Bourret, 39, of Colorado Springs, Colorado and Athanasios Andrianakis, 26, of Sunnyvale, California, are accused of knowingly conspiring to commit acts and offenses against the United States, namely computer fraud and abuse, access device fraud, identification document fraud and wire fraud.

Both are said to have sold a program called Photofucket which allowed viewers to circumvent the privacy settings of Photobucket hosted images and videos, giving access to users private and password protected information, images and videos without authorization.

It’s not entirely clear from the complaint exactly how it worked, with it being claimed that Photofucket could be used to obtain guest passwords to access users’ password protected albums.  Those passwords were also said to be transferred, or “caused to be transferred” guest passwords to others who paid to use the Photofucket application….which doesn’t make a lot of sense given guest accounts aren’t paid on Photobucket, nor would a guest account normally have access to a private account.

“It is not safe to hide behind your computer, breach corporate servers and line your own pockets by victimizing those who have a right to protected privacy on the internet,” said U.S. Attorney Walsh.  “The U.S. Attorney’s Office is keenly focused on prosecuting those people for their theft — and for the wanton harm they do to innocent internet users.”

Two years the fool?

It’s simply not made clear in the complaint exactly how this all worked; did the software actually hack Photobucket or was it just a clever way of circumventing Photobucket’s privacy settings, possibly due to a security flaw?

The software is alleged to have been on sale, and effective for over two years, so if it was a hack, why didn’t Photobucket do something about having it closed down? It’s unlikely it took Photobucket two years to notice that this software was available for download.

The details will no doubt come out in court, but in the meantime something is a little strange here.

The defendants face a maximum penalty of five years in prison and a $250,000 fine on the counts of conspiracy and computer fraud, aid, and abet, and a maximum sentence of 10 years on each count of access device fraud.

photo credit: I See You. via photopin (license)