2 charged with stealing information from more than 100,000 iPad users
1/18/2011NEWARK, N.J. — Two hackers who were engaged in game of “malicious one-upsmanship” stole the e-mail addresses of more than 100,000 Apple iPad users, including those of politicians and famous media personalities, federal prosecutors said Tuesday in announcing criminal charges against the men.
AT&T revealed the security vulnerability months ago, and U.S. Attorney Paul Fishman said there was no evidence that the two men used the information they acquired for criminal purposes. Authorities cautioned, however, that the information could have wound up in the hands of spammers and scammers.
Daniel Spitler, 26, of San Francisco, and Andrew Auernheimer, 25, of Fayetteville, Ark., face charges of fraud and conspiracy to access a computer without authorization. Both men were scheduled to appear in federal court Tuesday afternoon, Spitler in Newark and Auernheimer in Fayetteville.
Fishman characterized the men and their cohorts as engaging in “malicious one-upsmanship” as they sought to impress each other and others in the online community.
“We don't tolerate committing crimes for street cred,” Fishman said. “Computer hacking is not a competitive sport, and security breaches are not a game.”
The stolen e-mail addresses are unlikely to be the basis for identity theft, but a spammer armed with the addresses could send e-mail pretending to be from Apple or AT&T, which the recipients might be more likely to open.
The criminal complaint against Spitler and Auernheimer details online conversations in which the duo's peers discuss selling the addresses to spammers.
“you could put them in a database for spamming for example sell them to spammers ...” a user named Nstyr wrote to Spitler, the complaint alleges.
“tru ipad focused spam,” Spitler responds.
The complaint quotes an article published on Gawker.com that contended the e-mail addresses of film mogul Harvey Weinstein, White House chief of staff Rahm Emanuel, New York Mayor Michael Bloomberg and Diane Sawyer of ABC News were among those lifted from AT&T's servers.
The case was brought in New Jersey because about 16,000 victims live in the state, Fishman said.
AT&T spokesman Mark Siegel said, “We take our customers' privacy very seriously.” He said the company was not under investigation for the breach.
In June, AT&T Inc. acknowledged a security weak spot on a website that exposed the e-mail addresses of apparently more than 100,000 iPad users. The company said the vulnerability affected only iPad users who signed up for AT&T's “3G” wireless Internet service and that it had fixed the problem.
It involved an insecure way that AT&T's website would prompt iPad users when they tried to log into their AT&T accounts through the devices. The site would supply users' e-mail addresses, to make log-ins easier, based on unique codes contained in the SIM cards inside their iPads. SIM cards are used to tell cell phone networks which subscriber is trying to use the service.
A hacker group that called itself Goatse Security claimed at the time to have discovered the weakness and said it was able to trick AT&T's site into coughing up more than 114,000 e-mail addresses. Both Spitler and Auernheimer were members of the group, authorities said.
A representative for the group told The Associated Press in June that the group contacted AT&T and waited until the vulnerability was fixed before going public with the information. The U.S. attorney's office disputed that.
According to an affidavit filed in June and unsealed last month, the suspects used a computer script they called “the iPad3G Account Slurper” that mimicked the behavior of an iPad 3G so that AT&T's servers would falsely believe they were communicating with an actual iPad.
The theft of the e-mail addresses occurred between June 3 and June 8, according to the affidavit. On June 9, the information was provided Gawker, which published an article on the breach.
The affidavit also claims Auernheimer bragged about the operation in a blog posting on June 9 and an interview with CNET published online on June 10, but later backtracked from those statements. It quotes him from a New York Times article declaring, “I hack, I ruin, I make piles of money. I make people afraid for their lives.”
Auernheimer also faces state narcotics charges in Arkansas stemming from the search of his residence in June, Fishman said.