A former software engineer at Yahoo pleaded guilty on Monday, Sept. 30, to hacking thousands of accounts to hunt for sexual images and videos.
Reyes Daniel Ruiz is now facing up to five years in prison and $250,000 fine plus restitution. He is due to return in court for sentencing in February 2020.
Yahoo Software Engineer Hacked Personal Accounts, Stole Private Data
According to the U.S. Attorney's District Office in Northern California, Ruiz admitted to taking advantage of his work at Yahoo to access the personal accounts of about 6,000 users. The 34-year-old cracked user password and used internal systems to compromise accounts.
He then used hacked Yahoo accounts to access Facebook, Gmail, iCloud, DropBox, and online services in search for private and personal records. He also made copies of sexual images and videos he found and stored them in a hard drive in his home.
Ruiz primarily targeted younger women, including his personal friends and work colleagues.
It was Yahoo that discovered the illicit activity. Soon after the Verizon-owned tech company launched an investigation, the software engineer destroyed the computer and hard drive in which he kept copies of the stolen data.
He was indicted by a federal grand jury on April 4 and charged with one count of Computer Intrusion and one count of Interception of a Wire Communication. He pleaded guilty to just the Computer Intrusion charge.
Ruiz worked at Yahoo for 10 years. His LinkedIn profile claimed that he is still working as a senior-level engineer at the identity and access management company Okta.
However, in a statement to Motherboard, a spokesperson from the San Francisco-based company said that Ruiz only worked there for six months. He was fired in May 2019.
"The actions for which he was indicted all happened prior to his employment at Okta," the spokesperson revealed. "The privacy and security of our customers is our top priority, and immediately upon learning of the indictment, Ruiz's access was revoked and Okta worked with a third party to conduct a forensic analysis, which confirmed that no company or customer data was compromised."
Ruiz is currently on release on a $200,000 bond.
Neither Yahoo nor Verizon has issued a statement as of this writing.
Massive Yahoo Data Breach
This is not the first time that personal accounts of Yahoo users were compromised. In 2016, the company admitted that 3 billion accounts — every single customer account at the time — was breached in August 2013. This included e-mail, Tumblr, Fantasy, and Flickr.