|NESS National Employee Screening Services|
Internet “Trolls” Arrested After
Hacking AT&T’s Servers
January 20, 2011 -
Two self-described Internet “trolls” were arrested on Tuesday for
allegedly hacking AT&T’s servers and stealing e-mail addresses and other
personal information belonging to approximately 120,000 Apple iPad users
who accessed the Internet via AT&T’s 3G network, United States Attorney
Paul J. Fishman announced.
The iPad is a
touch-screen tablet computer, developed and marketed by Apple Computers,
Inc., which allows users to, among other things, access the Internet and
send and receive electronic mail. Since the introduction of the iPad in
January 2010, AT&T has provided iPad users with Internet connectivity
via AT&T’s 3G wireless network. During the registration process for
subscribing to the network, a user is required to provide an e-mail
address, billing address, and password.
Prior to mid-June
2010, AT&T automatically linked an iPad 3G user’s e-mail address to the
Integrated Circuit Card Identifier (“ICC-ID”), a number unique to the
user’s iPad, when he registered. As a result, every time a user accessed
the AT&T website, his ICC-ID was recognized and his e-mail address was
automatically populated for faster, user-friendly access to the site.
AT&T kept the ICC-IDs and associated e-mail addresses confidential.
At that time, when
an iPad 3G communicated with AT&T’s website, its ICC-ID was
automatically displayed in the Universal Resource Locator, or “URL,” of
the AT&T website in plain text. Seeing this, and discovering that each
ICC-ID was connected to an iPad 3G user e-mail address, hackers wrote a
script termed the “iPad 3G Account Slurper”and deployed it against
The Account Slurper attacked AT&T’s servers for several days in early June 2010, and was designed to harvest as many ICC-ID/e-mail address pairings as possible. It worked by mimicking the behavior of an iPad 3G so that AT&T’s servers would be fooled into granting the Account Slurper access.
Once deployed, the
Account Slurper used a process known as a “brute force” attack—an
iterative process used to obtain information from a computer
system—against the servers, randomly guessing at ranges of ICC-IDs. An
incorrect guess was met with no additional information, while a correct
guess was rewarded with an ICC-ID/e-mail pairing for a specific,
identifiable iPad 3G user.
From June 5 through June 9, 2010, the Account Slurper stole for its hacker-authors approximately 120,000 ICC-ID/e-mail address pairings for iPad 3G customers. Immediately following the theft, the hacker-authors of the Account Slurper provided the stolen e-mail addresses and ICC-IDs to the website Gawker, which published the stolen information in redacted form, along with an article concerning the breach.
indicated that the breach “exposed the most exclusive e-mail list on the
planet,”and named a number of famous individuals whose e-mails had been
compromised, including Diane Sawyer, Harvey Weinstein, Mayor Michael
Bloomberg, and Rahm Emanuel. The article also stated that iPad users
could be vulnerable to spam marketing and malicious hacking. A group
calling itself “Goatse Security” was identified as obtaining the
According to its
website, Goatse Security is a loose association of Internet hackers and
self-professed Internet “trolls”—people who intentionally, and without
authorization, disrupt services and content on the Internet—to which
both Spitler and Auernheimer belong.
During the data
breach, Spitler and Auernheimer communicated with one another using
Internet Relay Chat, an Internet instant messaging program. Those chats
not only demonstrate that Spitler and Auernheimer were responsible for
the data breach, but also that they conducted the breach to
simultaneously damage AT&T and promote themselves and Goatse Security.
As the data breach continued, so too did the discussions between Spitler, Auernheimer, and other Goatse Security members about the best way to take advantage of the breach and associated theft. On June 10, 2010, immediately after going public with the breach, Spitler and Auernheimer discussed destroying evidence of their crime.
Fishman stated: “Hacking is not a competitive sport, and security
breaches are not a game. Companies that are hacked can suffer
significant losses, and their customers made vulnerable to other crimes,
privacy violations, and unwanted contact. Computer intrusions and the
spread of malicious code are a threat to national security, corporate
security, and personal security. Those who use technological expertise
for malicious purposes take note: your activities in cyberspace can have
serious consequences for you in the real world.”
principle of our society is confidence in a reasonable expectation of
personal privacy, which includes expectations of financial privacy,
medical privacy, and privacy in our communications,” said Michael B.
Ward, Special Agent in Charge of the FBI’s Newark field office.
Each defendant is charged with one count of conspiracy to access a computer without authorization and one count of fraud in connection with personal information. Each count with which the defendants are charged carries a maximum potential penalty of five years in prison and a fine of $250,000.
Fishman credited special agents of the FBI, under the direction of
Special Agent in Charge Michael B. Ward in
|©NESS National Employee Screening Services|