NEWARK, N.J. (AP) - Two hackers who were engaged in game of "malicious one-upsmanship" stole the e-mail addresses of more than 100,000 Apple iPad users, including those of politicians and famous media personalities, federal prosecutors said Tuesday in announcing criminal charges against the men.
AT&T revealed the security vulnerability months ago, and U.S. Attorney Paul Fishman said there was no evidence that the two men used the information they acquired for criminal purposes. Authorities cautioned, however, that the information could have wound up in the hands of spammers and scammers.
Daniel Spitler, 26, of San Francisco, and Andrew Auernheimer, 25, of Fayetteville, Ark., face charges of fraud and conspiracy to access a computer without authorization. Both men were scheduled to appear in federal court Tuesday afternoon, Spitler in Newark and Auernheimer in Fayetteville.
Fishman characterized the men and their cohorts as engaging in "malicious one-upsmanship" as they sought to impress each other and others in the online community.
"We don't tolerate committing crimes for street cred," Fishman said. "Computer hacking is not a competitive sport, and security breaches are not a game."
The stolen e-mail addresses are unlikely to be the basis for identity theft, but a spammer armed with the addresses could send e-mail pretending to be from Apple or AT&T, which the recipients might be more likely to open.
The criminal complaint against Spitler and Auernheimer details online conversations in which the duo's peers discuss selling the addresses to spammers.
"you could put them in a database for spamming for example sell them to spammers ..." a user named Nstyr wrote to Spitler, the complaint alleges.
"tru ipad focused spam," Spitler responds.
The complaint quotes an article published on Gawker.com that contended the e-mail addresses of film mogul Harvey Weinstein, White House chief of staff Rahm Emanuel, New York Mayor Michael Bloomberg and Diane Sawyer of ABC News were among those lifted from AT&T's servers.
The case was brought in New Jersey because about 16,000 victims live in the state, Fishman said.
AT&T spokesman Mark Siegel said, "We take our customers' privacy very seriously." He said the company was not under investigation for the breach.
In June, AT&T Inc. acknowledged a security weak spot on a website that exposed the e-mail addresses of apparently more than 100,000 iPad users. The company said the vulnerability affected only iPad users who signed up for AT&T's "3G" wireless Internet service and that it had fixed the problem.
It involved an insecure way that AT&T's website would prompt iPad users when they tried to log into their AT&T accounts through the devices. The site would supply users' e-mail addresses, to make log-ins easier, based on unique codes contained in the SIM cards inside their iPads. SIM cards are used to tell cell phone networks which subscriber is trying to use the service.
A hacker group that called itself Goatse Security claimed at the time to have discovered the weakness and said it was able to trick AT&T's site into coughing up more than 114,000 e-mail addresses. Both Spitler and Auernheimer were members of the group, authorities said.
A representative for the group told The Associated Press in June that the group contacted AT&T and waited until the vulnerability was fixed before going public with the information. The U.S. attorney's office disputed that.
According to an affidavit filed in June and unsealed last month, the suspects used a computer script they called "the iPad3G Account Slurper" that mimicked the behavior of an iPad 3G so that AT&T's servers would falsely believe they were communicating with an actual iPad.
The theft of the e-mail addresses occurred between June 3 and June 8, according to the affidavit. On June 9, the information was provided Gawker, which published an article on the breach.
The affidavit also claims Auernheimer bragged about the operation in a blog posting on June 9 and an interview with CNET published online on June 10, but later backtracked from those statements. It quotes him from a New York Times article declaring, "I hack, I ruin, I make piles of money. I make people afraid for their lives."
Auernheimer also faces state narcotics charges in Arkansas stemming from the search of his residence in June, Fishman said.
Associated Press writer Jill Zeman Bleed in Little Rock, Ark., contributed to this story.
Copyright 2011 The Associated Press.
A San Diego Navy sailor and his live in girlfriend have been accused of child abuse and torture of a five-year-old boy.
Human beings have been stacking stones for thousands of years, sometimes to mark a trial head for hikers - others for fun or even spiritual reasons.
On Wednesday, Cal Jet by Elite Airways announced it would launch its daily non-stop flight service from Carlsbad’s airport to Las Vegas starting in September.
Mayors from border cities in San Diego County and Mexico urged federal leaders Wednesday to support the modernization of the North American Free Trade Agreement and continue an effort to improve the region's economic prosperity.
The solar eclipse is less than a week away and experts want to make parents are talking to their kids about how to stay safe - while having fun. It's a quick conversation that doctors said can make a big difference.
A Poway couple arrested Sunday is being accused of raising a baby in the same home where they were raising a big crop of pot.
Surveillance video shows a car thief stealing a truck from a San Diego family’s driveway, but the suspect left behind an important clue.
Police are digging through computers and smart phones of two roommates arrested in the attempted kidnapping of a 15-year-old girl in Encinitas.
City crews Wednesday removed a plaque referencing Jefferson Davis, former president of the Confederacy, from Horton Plaza Park in downtown San Diego.
San Ysidro Health Clinic’s state of the art dental center has become a destination for kids with special needs in need of dental work.