Two men have been charged in connection with a hack on the AT&T Website last June that exposed more than 100,000 e-mail addresses belonging to owners of the Apple iPad 3G.
Two men believed to be at the center of the theft of e-mail addresses from AT&T last year are now facing criminal charges.
Daniel Spitler, 26, of San Francisco, and 25-year-old Andrew Auernheimer of Fayetteville, Ark., were taken into custody by the FBI Jan. 18 in connection with the theft of more than 100,000 e-mail addresses belonging to Apple iPad 3G users.
The charges stem from an incident last June, when Goatse Security -
a small, loose-knit confederation of hackers - reported exploiting a
flaw in the AT&T Website and swiping e-mail addresses belonging
to iPad owners. At the time, AT&T said "unauthorized
computer hackers" had exploited a function designed to make the
customer iPad log-in process faster by linking a user's integrated
circuit card identification (ICC-ID) with their e-mail address.
When an iPad 3G user returned to the AT&T site after
registering, their ICC-ID would be recognized and their e-mail
address would automatically be filled in on the log-in page. At the
time, when an iPad 3G communicated with the site the ICC-ID was
automatically displayed in the URL in plain text.
According to authorities, the hackers took advantage of the
situation by creating a script known as "iPad 3G Account Slurper" to
randomly generate ICC-ID numbers. If the number matched an actual
ICC-ID, the authentication page log-in screen would be returned along
with the e-mail addresses associated with the ICC-ID.
News of the issue went public and Goatse Security contacted Gawker
Media with details of the situation and took credit for harvesting the
data. The stolen e-mail addresses included some military officials as
well as top executives at companies such as Dow Jones and The New York
Times Company. Goatse defended itself against claims it acted
inappropriately by contending the flaw was patched before news of the
situation was made public.
The FBI arrested Auernheimer on drug charges not long after the attack after agents searched his home.
According to authorities, Spitler and Auernheimer communicated with
one another about the theft using Internet Relay Chat. Excerpts from
those chats can be read here (PDF) in a federal complaint.
"Hacking is not a competitive sport, and security breaches are not a
game," said U.S. Attorney Paul Fishman. "Companies that are hacked can
suffer significant losses, and their customers made vulnerable to other
crimes, privacy violations and unwanted contact."
Both men face one count of conspiracy to access a computer without
authorization and one count of fraud in connection with personal
information. Each count carries a maximum penalty of five years in
prison and a fine of $250,000.