On Tuesday morning, two members of the group Goatse Security, who hacked into AT&T's customer database last year and delivered close to 120,000 e-mail addresses of iPad 3G owners to Gawker, were arrested by the FBI. The pair, Daniel Spitler, 25, and Andrew Auernheimer, 26, used a "brute force" attack and an AT&T security hole to gather the email addresses.The pair used the fact that iPad 3G's SIM has an ICC-ID, a 19-digit code that AT&T associated with a user's account and email address. AT&T used the ICC-ID to pre-populate a field containing the owner's email address when the user needed to login and check account status. By attempting ICC-IDs until they got a "hit," the pair was able to gather the email addresses.
In a statement, U.S. Attorney Paul Fishman in New Jersey said:
"Hacking is not a competitive sport, and security breaches are not a game. Companies that are hacked can suffer significant losses, and their customers made vulnerable to other crimes, privacy violations and unwanted contact."Each of the two was each charged with one count of fraud and one count of conspiracy to access a computer without authorization. Each of those charges carries a maximum punishment of five years in prison plus a $250,000 fine.
Although Goatse Security notified AT&T of the breach after harvesting the data, the U.S. Attorney's statement noted that in chats, it was made clear that the group wasn't doing this to be altruistic. Instead, Fishman said,
"Those chats not only demonstrate that Spitler and Auernheimer were responsible for the data breach, but also that they conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security."Last year, Auernheimer was arrested on drug charges. Authorities were actually searching his home for evidence related to the AT&T - iPad investigation. Auernheimer is pictured above in a booking photo from that arrest.
