The Department of Justice is pursuing a high-profile prosecution against former University of Michigan football coach Matt Weiss for allegedly hacking into the private accounts of female athletes. This comprehensive report examines the case from multiple angles, providing insight into the specific charges, hacking techniques employed, and the far-reaching impact on victims.
1. Specific federal charges
Weiss faces multiple serious federal charges that could result in significant prison time if convicted. The indictment includes 14 counts of unauthorized computer access and 10 counts of aggravated identity theft under specific federal statutes.
18 U.S.C. § 1030(a)(2)(C)
This statute prohibits intentionally accessing a computer without authorization and obtaining information from a protected computer. Prosecutors must prove Weiss knowingly circumvented security measures to access student-athlete databases across multiple universities.
18 U.S.C. § 1030(a)(4)
This charge focuses on computer fraud with intent to obtain something of value. The prosecution will argue that the private photos and videos themselves constituted the “thing of value” Weiss fraudulently obtained through his unauthorized access.
Aggravated identity theft, 18 U.C.C. § 1028A
These charges stem from Weiss allegedly stealing and using student-athletes’ identities to access their personal accounts and data, a separate offense that carries mandatory consecutive sentencing.
2. Detailed hacking techniques
The investigation revealed a sophisticated and methodical approach to obtaining unauthorized access to sensitive information through multiple technical vectors.
Compromising accounts with elevated access
Weiss specifically targeted accounts belonging to athletic trainers and directors who had privileged access within university systems. By gaining control of these accounts, he created a gateway to access databases containing sensitive student-athlete information.
Exploiting third-party vendor vulnerabilities
A significant element of the scheme involved exploiting security weaknesses in systems maintained by Keffer Development Services, a third-party vendor that managed student-athlete databases for numerous universities, effectively creating a central point of vulnerability.
Password decryption
According to the indictment, Weiss successfully decrypted encrypted password files using techniques researched online. This suggests he may have employed commonly available password cracking tools like John the Ripper or Hashcat to breach security measures.
Password resetting and guessing
The investigation found that Weiss employed both technical and social engineering approaches, guessing passwords based on personal information gathered through internet research, including mothers’ maiden names, pet names, and other personal details.
Exploiting vulnerabilities in university authentication processes
Weiss took advantage of weak account authentication protocols at various universities. The absence of multi-factor authentication on many student email accounts significantly contributed to the success of his attacks.
3. Quantified victim impact with specific examples
The case has identified approximately 3,300 students and alumni as potential victims, with the majority being female athletes. The psychological impact has been profound and far-reaching.
Feelings of betrayal
Victims consistently report profound feelings of betrayal by Weiss, their universities, and the third-party vendors responsible for safeguarding their data. One victim expressed that her sense of privacy had been revealed as “just an illusion.”
Anxiety and fear
Many victims report experiencing persistent anxiety as they attempt to determine what personal content may have been accessed and potentially distributed. This uncertainty has created ongoing psychological distress.
Emotional distress
Attorney Megan Bonanni, representing multiple victims, has characterized the violations as “cyber sexual assault,” noting: “It really is someone who took — without permission — very intimate, private images that are sexual in nature. And so, when that kind of betrayal, when that kind of assault, happens, it is a sexual assault.”
4. Expanded timeline with key legal proceedings
The investigation and legal proceedings have unfolded over multiple years, beginning with the initial discovery of suspicious activity in December 2022, through Weiss’s termination in January 2023, to the federal indictment in March 2025. The FBI joined the University of Michigan Police Department’s investigation in October 2023, indicating the seriousness of the case. Weiss appeared in federal court in Detroit on March 24, 2025, pleading not guilty to all charges, while civil lawsuits against him and the university continue to expand.
5. Clarify sentencing factors and potential outcomes
If convicted, Weiss faces up to five years imprisonment for each unauthorized access count and an additional mandatory two-year consecutive sentence for each identity theft count. Sentencing will likely consider the extensive victim impact, sophisticated nature of the crimes, and deliberate targeting of vulnerable victims. The deliberate and calculated nature of the scheme may limit mitigating circumstances, while the targeting of female athletes and documentation of victims’ bodies may serve as aggravating factors.
6. Incorporate details on digital forensics
Digital forensic analysis has been crucial to building the case against Weiss. Investigators have analyzed computer logs documenting unauthorized system access, recovered decrypted password files, and retrieved downloaded personal content from his devices. The investigation likely employed specialized forensic tools such as EnCase or FTK to recover and analyze digital evidence while maintaining proper chain of custody requirements.
7. Elaborate on civil lawsuits
Multiple civil lawsuits have been filed against Weiss, the University of Michigan, its Board of Regents, and Keffer Development Services. These lawsuits allege negligence, invasion of privacy, and infliction of emotional distress. More than 40 women are involved in one lawsuit filed by Marko Law, with plaintiffs seeking compensatory damages, punitive damages, and injunctive relief requiring improved security measures. Additional lawsuit with abuse allegations and a separate lawsuit over basketball player death highlight the broader context of legal challenges in collegiate athletics.
8. Include university and vendor responses
The University of Michigan has stated they “promptly placed Mr. Weiss on leave, forwarded this matter to law enforcement authorities and moved forward with Mr. Weiss’ termination on January 21, 2023” upon discovering suspicious system activity. Critics argue the university should have done more to notify and support affected students. This case reflects broader institutional accountability questions similar to those raised in the ongoing Michigan State NCAA investigation into other regulatory compliance matters.
9. Address broader implications with expert opinions
This case highlights significant vulnerabilities in university data security practices. Cybersecurity expert Kevin Nether noted the sophisticated and intentional nature of the breach, stating: “Getting access to this information for average people is not easy, but him having access to this database definitely made it easier…That sort of work in the background takes a lot of time and effort to do. It’s nothing you stumble across it’s something you have to be extremely intentional about doing.” Universities must implement stronger data protection measures including multi-factor authentication, enhanced vendor oversight, and improved ethical training for staff with access to sensitive student information.
10. Add visual elements
A comprehensive visual timeline would illustrate the progression from initial breach detection through investigation, indictment, and ongoing legal proceedings. A technical flowchart would demonstrate how Weiss allegedly compromised systems by first targeting accounts with elevated privileges, then exploiting vendor vulnerabilities to access broader databases, and finally using various techniques to decrypt passwords and access individual accounts.
