NEWARK, N.J. (AP) - Two hackers who were engaged in game of "malicious one-upsmanship" stole the e-mail addresses of more than 100,000 Apple iPad users, including those of politicians and famous media personalities, federal prosecutors said Tuesday in announcing criminal charges against the men.
AT&T revealed the security vulnerability months ago, and U.S. Attorney Paul Fishman said there was no evidence that the two men used the information they acquired for criminal purposes. Authorities cautioned, however, that the information could have wound up in the hands of spammers and scammers.
Daniel Spitler, 26, of San Francisco, and Andrew Auernheimer, 25, of Fayetteville, Ark., face charges of fraud and conspiracy to access a computer without authorization. Both men were scheduled to appear in federal court Tuesday afternoon, Spitler in Newark and Auernheimer in Fayetteville.
Fishman characterized the men and their cohorts as engaging in "malicious one-upsmanship" as they sought to impress each other and others in the online community.
"We don't tolerate committing crimes for street cred," Fishman said. "Computer hacking is not a competitive sport, and security breaches are not a game."
The stolen e-mail addresses are unlikely to be the basis for identity theft, but a spammer armed with the addresses could send e-mail pretending to be from Apple or AT&T, which the recipients might be more likely to open.
The criminal complaint against Spitler and Auernheimer details online conversations in which the duo's peers discuss selling the addresses to spammers.
"you could put them in a database for spamming for example sell them to spammers ..." a user named Nstyr wrote to Spitler, the complaint alleges.
"tru ipad focused spam," Spitler responds.
The complaint quotes an article published on Gawker.com that contended the e-mail addresses of film mogul Harvey Weinstein, White House chief of staff Rahm Emanuel, New York Mayor Michael Bloomberg and Diane Sawyer of ABC News were among those lifted from AT&T's servers.
The case was brought in New Jersey because about 16,000 victims live in the state, Fishman said.
AT&T spokesman Mark Siegel said, "We take our customers' privacy very seriously." He said the company was not under investigation for the breach.
In June, AT&T Inc. acknowledged a security weak spot on a website that exposed the e-mail addresses of apparently more than 100,000 iPad users. The company said the vulnerability affected only iPad users who signed up for AT&T's "3G" wireless Internet service and that it had fixed the problem.
It involved an insecure way that AT&T's website would prompt iPad users when they tried to log into their AT&T accounts through the devices. The site would supply users' e-mail addresses, to make log-ins easier, based on unique codes contained in the SIM cards inside their iPads. SIM cards are used to tell cell phone networks which subscriber is trying to use the service.
A hacker group that called itself Goatse Security claimed at the time to have discovered the weakness and said it was able to trick AT&T's site into coughing up more than 114,000 e-mail addresses. Both Spitler and Auernheimer were members of the group, authorities said.
A representative for the group told The Associated Press in June that the group contacted AT&T and waited until the vulnerability was fixed before going public with the information. The U.S. attorney's office disputed that.
According to an affidavit filed in June and unsealed last month, the suspects used a computer script they called "the iPad3G Account Slurper" that mimicked the behavior of an iPad 3G so that AT&T's servers would falsely believe they were communicating with an actual iPad.
The theft of the e-mail addresses occurred between June 3 and June 8, according to the affidavit. On June 9, the information was provided Gawker, which published an article on the breach.
The affidavit also claims Auernheimer bragged about the operation in a blog posting on June 9 and an interview with CNET published online on June 10, but later backtracked from those statements. It quotes him from a New York Times article declaring, "I hack, I ruin, I make piles of money. I make people afraid for their lives."
Auernheimer also faces state narcotics charges in Arkansas stemming from the search of his residence in June, Fishman said.
Associated Press writer Jill Zeman Bleed in Little Rock, Ark., contributed to this story.
Copyright 2011 The Associated Press.
Tensions remained high in Tijuana and at the U.S.- Mexico border Sunday, where thousands of members of a migrant caravan began arriving in the past week planning to seek asylum in the United States.
Walkers participating in The Susan G. Komen 3-Day San Diego - including News 8’s own Barbara-Lee Edwards - will finish their 60-mile journey on Sunday.
All northbound lanes of Interstate 5 will be closed from 10:30 p.m. to 5 a.m. starting Sunday night and continuing through Tuesday, according to the San Diego Association of Governments.
Temperatures take a cooling trend into early next week, with only a slight increase on Sunday disrupting the trend.
Northern California crews battling the country's deadliest wildfire in a century were bracing for strong winds Sunday that could erode gains they have made in containing the fearsome blaze, which has killed at least 76 and leveled a town.
Residents of Malibu who were forced to evacuate because of the Woolsey Fire have begun returning to their homes while others received notice they could return by Monday, as the estimated date for full containment of the fire was moved back to Thursday.
Some residents of Malibu forced to evacuate because of the Woolsey Fire returned to their homes Saturday while others received notice they could return Sunday and Monday, as firefighters battled for control of the huge blaze for a 10th day.
A power outage in central San Diego affecting over 2,200 homes in University Heights, North Park, Normal Heights, Kensington, Talmadge, and West State College was reported early Saturday morning just after 7:00 a.m.