A Singaporean student who hacked into the official US National Football League’s (NFL) Twitter account was sentenced to 24 months probation at the State Courts on Thursday (5 April).
Devesh Logendran, 18, pleaded guilty to 11 charges under the Computer Misuse and Cybersecurity Act.
Court documents showed that on 7 June 2016, Devesh – who had gained access to the NFL Twitter account largely by using publicly available information – sent out a tweet stating that the NFL’s commissioner Roger Goodell had died. The hoax tweet went viral.
After the message was deleted by someone else with access to the NFL account, Devesh tweeted a second time, saying, “Oi, I said Roger Goodell has died. Don’t delete that tweet”.
Devesh also posted a final tweet on the NFL account after people realised it was a hoax, which said, “OK, OK, you amateur detectives win. Good job”.
On 5 August 2016, the Singapore Police Force’s Technology Crime Investigation Branch (TCIB) received information that the NFL Twitter hacker’s Internet Protocol (IP) address originated from Singapore. Investigators then traced the IP address to Devesh’s home.
Devesh’s efforts to hack into the NFL Twitter account began in March 2016 when he found the Twitter account of the NFL’s social media director, which was linked to the latter’s e-mail account.
The e-mail address was in turn linked to a mobile phone number belonging to the social media director’s husband. The mobile number was registered under Rogers Communications, a Canadian media company where her husband worked.
Devesh then impersonated the husband and reached out to the company’s online support team, claiming to have lost access to a work account. Google searches on the social media director’s husband had fed Devesh with enough publicly available personal information that allowed him to answer the security questions asked.
He was then issued with the username and a temporary password for the work account. Once Devesh entered the account, he found the social media director’s registered mobile number.
Devesh then arranged to have a copy of each message sent to the social media director’s phone, to also be sent to a mobile number that he had access to. This way, when Devesh requested to reset her e-mail password, he was able to see the temporary password that she had received.
Through these efforts, he gained access to all the e-mails the social media director received and used the information to easily obtain the password for the NFL Twitter account.
Junior college systems also hacked
During the same month, Devesh searched online and came across a server that was Virtual Network Computing (VNC) enabled – which meant that it could be controlled remotely.
The server in question belonged to a junior college in Singapore. Devesh then downloaded some files and documents that gave him access to the systems of another junior college.
One of the systems Devesh got access to was a student management system that stored students’ particulars. From there he came across the name and personal e-mail address of a female student he thought might have been his former primary school classmate.
He then accessed her e-mail account, using a password provided to him by one of his friends. It is not clear how his friend came to know the password, or why Devesh wanted access to the e-mail address.
For unauthorised modification of the contents of any computer Deveshm could have been jailed up to three years or fined up to $10,000 or both.
For using a computer to secure access to a program or data without authority, he could have been jailed up to two years or fined up to $5,000 or both.