"Investigators believe that the accused got access to passwords of some of Smith's online profiles because Smith didn't have a lock on her room door, and didn't password-protect her computer."
"The affidavit reveals that Smith had a document on her laptop (which wasn’t password protected) that carried passwords to all her accounts, including iCloud which was later used by accused to steal her private pictures."
Let us also cringe at what 'Jennifer Smith' perhaps failed to practice out of ignorance or complacency :
1. Absence of FDE of storage
2. No passwords, if any, to protect OS logon, and no documented use of password managers (which can have some measure of brute-force resistance given a good choice of passphrase)
3. No physical control over ''sensitive'' equipment (Anyone could have tampered or accessed the equipment belonging to Jennifer).
4. Minimal to zero utilization of GPG/ GnuPG to protect sensitive stuff. (if no FDE was used, the very least was having such documents GnuPG protected)
TBH, anyone this ''CLUELESS'' is an equally-likely victim of the same scale of harm/ harassment should a complete stranger (with malicious intent) gain access to her room and belongings / or even worse to have cloned her data, tampered stuff, added some cute key-loggers etc. Heck, I'd stuff some dope inside her Macbook xD coz she is this ''pleb'' for a Mac user.
As it is, the breach was done offline.
Slick, but the guy got burned and rightly has to serve time.
Also, two VPN providers snitched and not just the one mentioned in the above OP.