The second of two men charged in connection with hacking AT&T’s Website last year and swiping e-mail addresses belonging to Apple iPad 3G users has been released on bail.
Andrew Auernheimer was released Feb. 28 on $50,000 bail. His co-defendant, Daniel Spitler, made bail in January. The two were charged in January with stealing the e-mail addresses of more than 100,000 iPad users in June 2010 after discovering a security hole in AT&T’s Website.
The duo, part of a small, loose-knit confederation of hackers known as Goatse Security, uncovered a way to abuse a feature of the AT&T Website designed to make the log-in process faster for iPad users by linking the user’s ICC-ID (integrated circuit card identification) with their e-mail address. According to authorities, the hackers created a script to randomly generate ICC-ID numbers, and when those numbers matched an actual ICC-ID, the authentication page log-in screen would be returned along with the associated e-mail.
Goatse Security later contacted Gawker Media with details of the vulnerability, which has since been closed, and took credit for pilfering the data. Some of the stolen e-mail addresses belonged to military officials, as well as top executives at companies such as Dow Jones and The New York Times Company. Goatse has contended the flaw was patched before news of the situation was made public.
“Hacking is not a competitive sport, and security breaches are not a game,” U.S. Attorney Paul Fishman said in a statement in January. “Companies that are hacked can suffer significant losses, and their customers made vulnerable to other crimes, privacy violations and unwanted contact.”
Both men face one count of conspiracy to access a computer without authorization and one count of fraud in connection with personal information. Each count carries a maximum penalty of five years in prison and a fine of $250,000.