Two men believed to be at the center of the theft of e-mail addresses from AT&T last year are now facing criminal charges.
Daniel Spitler, 26, of San Francisco, and 25-year-old Andrew Auernheimer of Fayetteville, Ark., were taken into custody by the FBI Jan. 18 in connection with the theft of more than 100,000 e-mail addresses belonging to Apple iPad 3G users.
The charges stem from an incident last June, when Goatse Security – a small, loose-knit confederation of hackers – reported exploiting a flaw in the AT&T Website and swiping e-mail addresses belonging to iPad owners. At the time, AT&T said “unauthorized computer hackers” had exploited a function designed to make the customer iPad log-in process faster by linking a user’s integrated circuit card identification (ICC-ID) with their e-mail address.
When an iPad 3G user returned to the AT&T site after registering, their ICC-ID would be recognized and their e-mail address would automatically be filled in on the log-in page. At the time, when an iPad 3G communicated with the site the ICC-ID was automatically displayed in the URL in plain text.
According to authorities, the hackers took advantage of the situation by creating a script known as “iPad 3G Account Slurper” to randomly generate ICC-ID numbers. If the number matched an actual ICC-ID, the authentication page log-in screen would be returned along with the e-mail addresses associated with the ICC-ID.
News of the issue went public and Goatse Security contacted Gawker Media with details of the situation and took credit for harvesting the data. The stolen e-mail addresses included some military officials as well as top executives at companies such as Dow Jones and The New York Times Company. Goatse defended itself against claims it acted inappropriately by contending the flaw was patched before news of the situation was made public.
The FBI arrested Auernheimer on drug charges not long after the attack after agents searched his home.
According to authorities, Spitler and Auernheimer communicated with one another about the theft using Internet Relay Chat. Excerpts from those chats can be read here (PDF) in a federal complaint.
“Hacking is not a competitive sport, and security breaches are not a game,” said U.S. Attorney Paul Fishman. “Companies that are hacked can suffer significant losses, and their customers made vulnerable to other crimes, privacy violations and unwanted contact.”
Both men face one count of conspiracy to access a computer without authorization and one count of fraud in connection with personal information. Each count carries a maximum penalty of five years in prison and a fine of $250,000.