Former Coach Charged in Hack of 3,300 Personal Accounts of Mostly Female College Athletes

Federal prosecutors have charged a Michigan man, Matthew Weiss, on allegations he orchestrated an extensive hacking operation that compromised the personal accounts of over 3,300 people, primarily female college athletes.

According to a grand jury indictment filed in the United States District Court for the Eastern District of Michigan, former assistant football coach Matthew Weiss now faces multiple felony counts, including unauthorized access to protected computers and aggravated identity theft.

In the indictment documents made public by The Record, the authorities allege that, between 2015 and January 2023, Weiss systematically targeted female college athletes by exploiting their personal and school-related information.

The investigators also revealed that he researched victims using publicly available data, a technique known as scraping, and tracked their athletic histories and personal affiliations before launching phishing and password-guessing attacks.

His alleged goal was clear: to gain access to their email, social media, and cloud storage accounts.

After gaining access to the accounts, Weiss allegedly searched for and downloaded private photographs and videos, many of which were intimate. In some cases, he returned to compromised accounts months or even years later to download even more files.

Exploiting athlete databases and data breaches

The indictment underscores how the coach allegedly used the stolen credentials and breached databases maintained by Keffer Development Services, a third-party vendor managing student-athlete records across over 100 universities. In total, the attacker accessed personally identifiable information (PII) and medical records of more than 150,000 student-athletes

Investigators also found that Weiss obtained these credentials using many techniques, including cracking encrypted passwords and utilizing data from previous data breaches and leaks. The information the attacker obtained was later used to reset passwords and gain control of control of social media, email, and cloud storage accounts.

University security gaps exploited

Weiss’s alleged attacks didn’t stop at stolen credentials. He is also believed to have targeted individual athletes by taking advantage of vulnerabilities in university authentication systems to escalate his access.

Legal charges are extensive

Weiss has been charged with multiple counts of violating the Computer Fraud and Abuse Act. If convicted, Weiss faces significant prison time and asset forfeiture.

Authorities are still trying to determine the full extent of Weiss’s activities and whether other people were involved in the operation.