U.S. Announces Charges for Alleged Hack Into AT&T Servers Via iPad Users

U.S. prosecutors accused two men of hacking AT&T Inc.’s computer servers to steal the e-mail addresses and personal data of about 120,000 Apple Inc. iPad users.

Daniel Spitler, 26, of San Francisco, and Andrew Auernheimer, 25, of Fayetteville, Arkansas, were charged with breaches that occurred last June. Both are associated with Goatse Security, “a loose association” of hackers and so- called trolls, or people who disrupt Internet service, according to a complaint filed in federal court in Newark, New Jersey.

The data breach and theft were “for the express purpose of causing monetary and reputational damage to AT&T and monetary and reputational benefits” for Spitler and Auernheimer, according to a Federal Bureau of Investigation complaint.

“Hacking is not a competitive sport and security breaches are not a game,” U.S. Attorney Paul Fishman said at a news conference in Newark. “It’s like what people might perceive as stealing for a joyride. It can start out looking like a prank, but it can quickly become more malicious.”

The men are charged with conspiracy to access a computer without authorization and fraud in connection with personal information. They face as long as five years in prison on each count. Spitler, who surrendered today to the FBI, appeared in federal court in Newark, where U.S. Magistrate Judge Claire Cecchi set a $50,000 appearance bond for his bail. She barred him from using computers and the Internet at home.

‘Only Charges’

Asked after the hearing about the charges, his attorney, Susan Cassell said: “They are only charges.”

Auernheimer appeared in federal court in Fayetteville, where U.S. Magistrate Judge Erin Setser ordered him detained pending a bail hearing on Jan. 21, courtroom deputy Gina Hellums said.

“We take our customers’ privacy very seriously and we cooperate with law enforcement whenever necessary to protect it,” Mark Siegel, a spokesman for Dallas-based AT&T, said in an e-mailed statement. He referred further questions to prosecutors.

Trudy Muller, a spokeswoman for Cupertino, California-based Apple, declined to comment.

AT&T apologized on June 14 to iPad 3G tablet computer users whose e-mail addresses were exposed during a security breach disclosed in the preceding week.

3G Network

AT&T offered Internet connections to iPad users over its 3G wireless network, according to the complaint. Users had to register with AT&T, which required them to provide an e-mail address. AT&T linked that e-mail address to a 19- or 20-digit code known as an Integrated Circuit Card Identifier, or ICC-ID.

Before mid-June 2010, when an iPad 3G communicated with AT&T’s website, its ICC-ID was automatically displayed in the Universal Resource Locator, or URL, according to the complaint.

Hackers wrote a script known as the “iPad 3G Account Slurper” to attack AT&T’s website and “harvest as many ICC- ID/e-mail address pairings as possible,” according to the FBI. The Account Slurper fooled AT&T’s servers into believing they were communicating with an actual iPad 3G, according to the complaint.

Goatse Security took credit for the attacks between June 5 and June 9, and provided the stolen e-mail addresses and ICC-IDs to Gawker.com, according to the FBI.

Those whose e-mail addresses were stolen include former White House Chief of Staff Rahm Emanuel, New York City Mayor Michael Bloomberg, and ABC News Anchor Diane Sawyer.

Emanuel, Bloomberg

The press offices for Emanuel, who is running for mayor of Chicago, and Bloomberg, the founder and majority owner of Bloomberg News parent Bloomberg LP, didn’t respond to requests for comment. ABC spokesman David Ford declined comment.

In an open letter posted Nov. 18 on the Goatse Security website, Auernheimer discussed an investigation by Assistant U.S. Attorney Lee Vartan, who worked in Newark, according to the FBI.

“AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers over the rights of shareholders,” the letter said.

“I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted and your teachers, for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure,” it said.

Auernheimer, who also goes by the name Weev, said in an interview with the New York Times on Aug. 3, 2008: “I hack, I ruin, I make piles of money. I make people afraid for their lives.” He also said: “Trolling is basically Internet eugenics. I want everyone off the Internet. Bloggers are filth. They need to be destroyed.”

House Searched

U.S. authorities conducted a search of Auernheimer’s house on June 15, according to the complaint. After that search, Auernheimer was charged with state narcotics offenses in Arkansas, Fishman said today.

Auernheimer told investigators that he and other members of Goatse Security had communicated using an online medium known as Internet Relay Chat.

A month later, a confidential source gave authorities 150 pages of chat logs that “conclusively demonstrate that defendants Spitler and Auernheimer were responsible for the data breach and conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security,” according to the FBI.

The case is U.S. v. Spitler, 11-mj-4022, U.S. District Court, District of New Jersey (Newark). The search warrant application is In the Matter of the Search of 505 North Shady Avenue, FA 10-36, U.S. District Court, Western District of Arkansas (Fayetteville).

To contact the reporters on this story: David Voreacos in Newark at dvoreacos@bloomberg.net

To contact the editor responsible for this story: David E. Rovella at drovella@bloomberg.net

Press spacebar to pause and continue. Press esc to stop.

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.