2 Charged With Stealing iPad Users’ Information

Report: Victims Include Mayor Bloomberg, Rahm Emanuel

NEWARK, N.J. (CBSNewYork/AP) — Two hackers who were engaged in a game of “malicious one-upsmanship” stole the e-mail addresses of more than 100,000 Apple iPad users, including those of politicians and famous media personalities, federal prosecutors said Tuesday in announcing criminal charges against the men.

AT&T revealed the security vulnerability months ago, and U.S. Attorney Paul Fishman said there was no evidence that the two men used the information they acquired for criminal purposes. Authorities cautioned, however, that the information could have wound up in the hands of spammers and scammers.

Daniel Spitler, 26, of San Francisco, and Andrew Auernheimer, 25, of Fayetteville, Ark., face charges of fraud and conspiracy to access a computer without authorization. Both men were scheduled to appear in federal court Tuesday afternoon, Spitler in Newark and Auernheimer in Fayetteville.

Fishman characterized the men and their cohorts as engaging in “malicious one-upsmanship” as they sought to impress each other and others in the online community.

WCBS 880 Reporter Peter Haskell reports on the iPad hacking and who was a victim

1010 WINS Reporter Steve Sandberg on the iPad breach.

“We don’t tolerate committing crimes for street cred,” Fishman said. “Computer hacking is not a competitive sport, and security breaches are not a game.”

“Aurenheimer and Spitler treated the criminal theft of confidential information as a joke, literally bragging about it to increase their notoriety and prestige. But there is nothing funny about the consequences of illegal computer hacking,” Fishman told CBS 2’s Christine Sloan.

The stolen e-mail addresses are unlikely to be the basis for identity theft, but a spammer armed with the addresses could send e-mail pretending to be from Apple or AT&T, which the recipients might be more likely to open.

The criminal complaint against Spitler and Auernheimer details online conversations in which the duo’s peers discuss selling the addresses to spammers.

“you could put them in a database for spamming for example sell them to spammers …” a user named Nstyr wrote to Spitler, the complaint alleges.

“tru ipad focused spam,” Spitler responds.

The complaint quotes an article published on Gawker.com that contended the e-mail addresses of film mogul Harvey Weinstein, White House chief of staff Rahm Emanuel, New York Mayor Michael Bloomberg and Diane Sawyer of ABC News were among those lifted from AT&T’s servers.

The case was brought in New Jersey because about 16,000 victims live in the state, Fishman said.

AT&T spokesman Mark Siegel said, “We take our customers’ privacy very seriously.” He said the company was not under investigation for the breach.

In June, AT&T Inc. acknowledged a security weak spot on a website that exposed the e-mail addresses of apparently more than 100,000 iPad users. The company said the vulnerability affected only iPad users who signed up for AT&T’s “3G” wireless Internet service and that it had fixed the problem.

It involved an insecure way that AT&T’s website would prompt iPad users when they tried to log into their AT&T accounts through the devices. The site would supply users’ e-mail addresses, to make log-ins easier, based on unique codes contained in the SIM cards inside their iPads. SIM cards are used to tell cell phone networks which subscriber is trying to use the service.

A spokesperson for Apple told CBS 2 it has no comment on the hacking allegations.

A hacker group that called itself Goatse Security claimed at the time to have discovered the weakness and said it was able to trick AT&T’s site into coughing up more than 114,000 e-mail addresses. Both Spitler and Auernheimer were members of the group, authorities said.

A representative for the group told The Associated Press in June that the group contacted AT&T and waited until the vulnerability was fixed before going public with the information. The U.S. attorney’s office disputed that.

According to an affidavit filed in June and unsealed last month, the suspects used a computer script they called “the iPad3G Account Slurper” that mimicked the behavior of an iPad 3G so that AT&T’s servers would falsely believe they were communicating with an actual iPad.

The theft of the e-mail addresses occurred between June 3 and June 8, according to the affidavit. On June 9, the information was provided Gawker, which published an article on the breach.

The affidavit also claims Auernheimer bragged about the operation in a blog posting on June 9 and an interview with CNET published online on June 10, but later backtracked from those statements. It quotes him from a New York Times article declaring, “I hack, I ruin, I make piles of money. I make people afraid for their lives.”

Auernheimer also faces state narcotics charges in Arkansas stemming from the search of his residence in June, Fishman said.

(Copyright 2011 by The Associated Press. All Rights Reserved.)

More from Peter Haskell
  • Hal

    The only reason they were prosecuted is because the wealthy were involved. I had my identity stolen last year and the authorities did NOTHING. They basically said no one investigates online identity theft. Unless you are rich or famous….

  • Send them to Iran

    If they were to do that elsewhere their hands would be chopped off. Our laws are too lax. Listening Wall St?

  • Nick

    How could it be hacking when it’s just freely available in the open air?

  • dont@emailme.com

    What do zombies and ipad users have in common ?
    They both need Brains, Brains…

  • Devenio

    “The affidavit also claims Auernheimer bragged about the operation in a blog posting on June 9 and an interview with CNET published online on June 10, but later backtracked from those statements…” So bragging is a crime these days? America is dead and the rich killed it.

  • Leesh

    to KPMc, they must have ;-)

  • Roy

    Thes guys reaked havick …and need to pay the piper with a long prison term…

    • Devenio

      Don’t you have to be over 10 to post on this site? Tell us Roy, what “havick” did these guys “reak?” You and a few others here must be doing a class assignment on posting to news websites. Tell us Roy, at what point in the above article did something illegal happen? This will count as 50 points on your final exam.

    • KPMc

      Did they disable your spell check too?

  • Mike Diaz

    Gotta love ATT

blog comments powered by Disqus
Giving Tuesday
Charles Osgood Event

Listen Live