Last year, 25-year-old Brad Stephenson found a loophole in one of Nike's websites and decided to take advantage. Over the span of five months, he used accounts meant for professional athletes to steal Nike merchandise worth over $80,000.
A federal indictment explains the events that followed:
Case agents with the United States Secret Service and United States Postal Inspection Service received information from a representative of Nike that computer accounts provided by Nike to contract client-athletes had been fraudulently accessed and used to order Nike merchandise.
Through further investigation, case agents learned at least 12 Nike Elite accounts were accessed and a total of $81,419.58 in Nike merchandise was ordered and subsequently shipped to various addresses in Arizona, North Carolina, Virginia and Florida. The legitimate account holders confirmed they did not authorize anyone to access or place orders on their Nike accounts.
Stephenson found out Nike credited the accounts so athletes could order merchandise without charge. After learning how the system worked from professional athletes he knew, the former baseball player gained access to the Nike elite-athlete accounts and ordered merchandise from Nike by listing himself as a guest of the account holders.
A few months ago, the Secret Service showed up at his door with a search warrant. A search of the residence resulted in agents finding and seizing 231 pieces of Nike merchandise which had been fraudulently obtained through elite-athlete accounts. The value of the items recovered was only $17,057.
Stephenson gave a lot of the gear away as gifts and he even sold a small number of items on eBay, according to court documents. The rest he kept. The young man was indicted on one count of computer fraud and struck a plea deal after agreeing to help Nike plug their security holes.
- Apple iOS in-app purchases hacked; everything is free (video)
- Android Forums hacked: 1 million user credentials stolen
- Yahoo fixes flaw behind 450,000 account hack
- The top 10 passwords from the Yahoo hack: Is yours one of them?
- Nvidia confirms hackers swiped up to 400,000 user accounts
- Minecraft account impersonation security flaw disclosed, fixed