NEWARK, N.J. – Federal prosecutors on Tuesday announced the arrests of two men who are accused of stealing e-mail addresses and other information from more than 100,000 Apple iPad users -- a security vulnerability that AT&T revealed months ago.
Daniel Spitler, 26, of San Francisco, and Andrew Auernheimer, 25, of Fayetteville, Ark., face charges of fraud and conspiracy to access a computer without authorization. Both men were scheduled to appear in federal court Tuesday afternoon, Spitler in Newark and Auernheimer in Fayetteville.
In June, AT&T Inc. acknowledged a security weak spot that exposed the e-mail addresses of apparently more than 100,000 iPad users. The company said the vulnerability affected only iPad users who signed up for AT&T's "3G" wireless Internet service and that it had fixed the problem.
It involved an insecure way that AT&T's website would prompt iPad users when they tried to log into their AT&T accounts through the devices. The site would supply users' e-mail addresses, to make log-ins easier, based on unique codes contained in the SIM cards inside their iPads. SIM cards are used to tell cell phone networks which subscriber is trying to use the service.
A hacker group that called itself Goatse Security claimed at the time to have discovered the weakness and said it was able to trick AT&T's site into coughing up more than 114,000 e-mail addresses, including those of famous media personalities and important government officials.
A representative for the group told The Associated Press in June that the group contacted AT&T and waited until the vulnerability was fixed before going public with the information.
According to an affidavit filed in June and unsealed last month, the suspects used a computer script they called "the iPad3G Account Slurper" that mimicked the behavior of an iPad 3G so that AT&T's servers would falsely believe they were communicating with an actual iPad.
The theft of the e-mail addresses occurred between June 3 and June 8, according to the affidavit. On June 9, the information was provided to the website www.gawker.com, which published an article on the breach.
The affidavit also claims Auernheimer bragged about the operation in a blog posting on June 9 and an interview with CNET published online on June 10, but later backtracked from those statements. It quotes him from a New York Times article declaring, "I hack, I ruin, I make piles of money. I make people afraid for their lives."
The U.S. Attorney's Office in Newark was scheduled to hold a Tuesday afternoon news conference to detail the investigation.