NEWARK, N.J. (AP) - Two hackers who were engaged in game of "malicious one-upsmanship" stole the e-mail addresses of more than 100,000 Apple iPad users, including those of politicians and famous media personalities, federal prosecutors said Tuesday in announcing criminal charges against the men.
AT&T revealed the security vulnerability months ago, and U.S. Attorney Paul Fishman said there was no evidence that the two men used the information they acquired for criminal purposes. Authorities cautioned, however, that the information could have wound up in the hands of spammers and scammers.
Daniel Spitler, 26, of San Francisco, and Andrew Auernheimer, 25, of Fayetteville, Ark., face charges of fraud and conspiracy to access a computer without authorization. Both men were scheduled to appear in federal court Tuesday afternoon, Spitler in Newark and Auernheimer in Fayetteville.
Fishman characterized the men and their cohorts as engaging in "malicious one-upsmanship" as they sought to impress each other and others in the online community.
"We don't tolerate committing crimes for street cred," Fishman said. "Computer hacking is not a competitive sport, and security breaches are not a game."
The stolen e-mail addresses are unlikely to be the basis for identity theft, but a spammer armed with the addresses could send e-mail pretending to be from Apple or AT&T, which the recipients might be more likely to open.
The criminal complaint against Spitler and Auernheimer details online conversations in which the duo's peers discuss selling the addresses to spammers.
"you could put them in a database for spamming for example sell them to spammers ..." a user named Nstyr wrote to Spitler, the complaint alleges.
"tru ipad focused spam," Spitler responds.
The complaint quotes an article published on Gawker.com that contended the e-mail addresses of film mogul Harvey Weinstein, White House chief of staff Rahm Emanuel, New York Mayor Michael Bloomberg and Diane Sawyer of ABC News were among those lifted from AT&T's servers.
The case was brought in New Jersey because about 16,000 victims live in the state, Fishman said.
AT&T spokesman Mark Siegel said, "We take our customers' privacy very seriously." He said the company was not under investigation for the breach.
In June, AT&T Inc. acknowledged a security weak spot on a website that exposed the e-mail addresses of apparently more than 100,000 iPad users. The company said the vulnerability affected only iPad users who signed up for AT&T's "3G" wireless Internet service and that it had fixed the problem.
It involved an insecure way that AT&T's website would prompt iPad users when they tried to log into their AT&T accounts through the devices. The site would supply users' e-mail addresses, to make log-ins easier, based on unique codes contained in the SIM cards inside their iPads. SIM cards are used to tell cell phone networks which subscriber is trying to use the service.
A hacker group that called itself Goatse Security claimed at the time to have discovered the weakness and said it was able to trick AT&T's site into coughing up more than 114,000 e-mail addresses. Both Spitler and Auernheimer were members of the group, authorities said.
A representative for the group told The Associated Press in June that the group contacted AT&T and waited until the vulnerability was fixed before going public with the information. The U.S. attorney's office disputed that.
According to an affidavit filed in June and unsealed last month, the suspects used a computer script they called "the iPad3G Account Slurper" that mimicked the behavior of an iPad 3G so that AT&T's servers would falsely believe they were communicating with an actual iPad.
The theft of the e-mail addresses occurred between June 3 and June 8, according to the affidavit. On June 9, the information was provided Gawker, which published an article on the breach.
The affidavit also claims Auernheimer bragged about the operation in a blog posting on June 9 and an interview with CNET published online on June 10, but later backtracked from those statements. It quotes him from a New York Times article declaring, "I hack, I ruin, I make piles of money. I make people afraid for their lives."
Auernheimer also faces state narcotics charges in Arkansas stemming from the search of his residence in June, Fishman said.
Associated Press writer Jill Zeman Bleed in Little Rock, Ark., contributed to this story.
Copyright 2011 The Associated Press.
San Diego State University police are responding to a gas leak on campus, the department said in a series of alerts at about 9:20 a.m.
U.S. Sen. Kamala Harris is scheduled Friday to tour the Otay Mesa Immigration and Detention Facility, where she will visit migrant mothers who were separated from their children.
Sentencing is scheduled Friday for a San Diego man who beat, raped and strangled a female friend after watching her have sex with another couple, then stuffed her body in a suitcase and put it out with the trash.
As the weather heats up, County Animal Services says you may see more rattlesnakes out and about. The department has already received 656 rattlesnake calls since the beginning of the year, 100 more than last year at this time. Some 30 calls came in since last Wednesday.
A bleeding, gravely injured man banged on the door of a Lemon Grove home in an apparent last-gasp plea for help, and his death a short time later prompted sheriff's deputies to launch a homicide investigation, authorities said Friday.
High pressure over Northern Mexico will warm temperatures Friday. Coastal areas cooler due to weak onshore flow. Excessive heat warning in effect for San Diego County deserts through Friday evening.
Two dogs attacked a woman and her toddler son on an East County roadside Thursday, leaving them seriously injured, authorities said.
Come into Battle Axe and you are sure to learn a thing or two. The "axperts" will teach you two-handed throws and a little humility.