Two self-proclaimed Internet trolls were arrested yesterday for allegedly hacking AT&T's servers and stealing email addresses and other personal information of nearly 120,000 iPad users who accessed the Internet via AT&T's 3G network, United States Attorney Paul J. Fishman announced.
Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco, Calif., were arrested yesterday and each charged with an alleged conspiracy to hack AT&T's servers and for possession of personal subscriber information obtained from the servers.
According to the complaint unsealed yesterday, the suspects wrote a script called the “iPad 3G Account Slurper“ and deployed it against AT&T's servers to steal iPad 3G users’ personal information.
The Account Slurper attacked AT&T's servers for several days in June 2010, and was designed to harvest as many Integrated Circuit Card Identifiers, a number unique to the user's iPad, and email address pairings as possible. Once deployed, the Account Slurper used a brute force attack against the servers, randomly guessing at ranges of ICC-IDs. An incorrect guess was met with no additional information, while a correct guess was rewarded with an ICC-ID/email pairing for a specific, identifiable iPad 3G user.
The Account Slurper stole approximately 120,000 ICC-ID/email address pairings for iPad 3G customers. Immediately following the theft, the suspects allegedly provided the stolen email addresses and ICC-IDs to the website Gawker, which published the stolen information in redacted form, along with an article concerning the breach.
The article said the breach “exposed the most exclusive email list on the planet,“ and named multiple famous individuals whose emails had been compromised, including Diane Sawyer, Harvey Weinstein and Rahm Emanuel. A group calling itself “Goatse Security“ was identified as obtaining the subscriber data, a loose association of hackers and self-professed Internet trolls to which both Spitler and Auernheimer reportedly belonged.
Auernheimer, who used the name Weev online, has previously been forthcoming about his trolling activities, and told The New York Times on Aug. 3, 2008, “I hack, I ruin, I make piles of money. I make people afraid for their lives.“
Each defendant is charged with one count of conspiracy to access a computer without authorization and one count of fraud in connection with personal information. Each count carries a maximum potential penalty of five years in prison and a fine of $250,000.