Extortion Through Theft of Private Photobucket Images
On November 2, Brandon Bourret was sentenced to 29 months in federal prison and three years on supervised release after pleading guilty to conspiracy to commit computer fraud and abuse, access device fraud, identification document fraud, and wire fraud. Bourret was the architect of PhotoFucket, a software application that accessed password-protected and private photo albums saved on the image-hosting website Photobucket. The albums were accessed in order to find “wins”—nude or sexually explicit images. Bourret promoted his software on PhatThumbs.Photofucket.com, where he published some of the “wins.” Customers could purchase the application to trawl for “wins” themselves.
Photobucket sets privacy at the album level; a user can set it at public, private, or password protected. However, even when heightened privacy is selected, there is still a direct link that can be used to access the photo. At first, PhotoFucket automated a guessing process called “fuskering” to discover these links, rather than hacking into individual Photobucket accounts. To “fusker” is to guess obscure web addresses and their extensions, often based on logical extensions. For example, the address photobucket.com/user/sarahtate might lead to photobucket.com/user/sarahtate/media/albumname/1.jpg and photobucket.com/user/sarahtate/media/albumname/2.jpg.