A man from Phoenix, Arizona pled guilty on Wednesday to one count of fraud for hacking into 1,035 university student email accounts for sexually explicit videos and photos. 30-year-old Jonathan Powell pulled off this exploit by taking advantage of a simple security weakness: the password reset function.

A press release from the U.S. Attorney’s Office in the Southern District of New York describes the crimes Powell committed against students at a single university in the New York area — Pace University has stated that it is the affected institution — but other sources suggest that Powell may have succeeded in breaching the security of one more school and attempted to do so at 75 others.

Between October 2015 and September 2016, Powell hacked into the password reset utilities of Pace’s email servers and attempted to change the passwords of around 2,054 unique accounts, succeeding with 1,035 of them. And he didn’t stop there.

“Once POWELL gained access to the compromised email accounts (the ‘Compromised Accounts’),” reads the release, “he obtained unauthorized access to other password-protected email, social media, and online accounts to which the Compromised Accounts were registered, including, but not limited to, Apple iCloud, Facebook, Google, LinkedIn, and Yahoo! accounts.”

He used that access to look for sexually explicit content, sometimes searching for the terms “naked” and “horny.”

Pace University
Pace University.

Powell did all of this while sitting at work in Arizona; the Federal Bureau of Investigation found him by tracking the hacker’s IP address to the computer at his office.

“This case should serve as a wakeup call for universities and educational institutions around the country,” Preet Bharara, U.S. Attorney for the Southern District of New York, said in a statement.

Pace was originally alerted to the fact that something was wrong when students reported that their passwords had been reset without their authorization. Reporting such instances and being careful about the passwords you choose are important ways of safeguarding against cyberthreats.

Powell is expected to be sentenced on December 1, 2017.

Photos via Flickr / pearlbear78, Flickr / LaMenta3