A 26-year-old San Francisco man pleaded guilty today to conspiracy and ID theft charges related to his part in accessing iPad customer data on an AT&T Web site a year ago and publicizing it.
Daniel Spitler wrote a script called the "iPad 3G Account Slurper" and used it against AT&T servers in June 2010 to harvest e-mail addresses and associated unique iPad numbers, according to a statement from the U.S. Department of Justice office in Newark, N.J.
Spitler admitted to communicating with co-defendant Andrew Auernheimer over Internet Relay Chat during the breach about how they should take advantage of the Web site hole and the data from 100,000 accounts that was exposed, the DOJ said. They decided to provide the information to Gawker, which published it in redacted form.
Spitler had surrendered to FBI agents in January and Auernheimer, 25, was arrested January 18 in Fayetteville, Ark., while appearing in state court on unrelated drug charges. The case against Auernheimer is still pending, a DOJ spokeswoman said.
Spitler faces up to 10 years in prison and $500,000 in fines on one count of conspiracy to gain unauthorized access to computers and one count of identity theft. He is scheduled to be sentenced September 28 in Newark federal court.
In an interview with CNET last summer, Auernheimer said he and his Goatse Security hacking cohorts acted with the intention of warning AT&T about the hole and notifying iPad 3G customers about the exposure of their data. However, group members indicated in chat logs obtained by the DOJ that they had not contacted AT&T.
"The magnitude of this crime affected everyone from high ranking members of the White House staff to the average American citizen," said Michael B. Ward, special agent in charge of the FBI's Newark Division. "It's important to note that it wasn't just the hacking itself that was criminal, but what could potentially occur utilizing the pilfered information."
The main threat for iPad customers was that someone would send them customized phishing e-mails in an attempt to trick them into revealing sensitive data or downloading malware. Goatse members discuss those possibilities, according to chat logs obtained by the DOJ. "I just had an idea send out at&t phishing e-mails to all these idiots with an ipad Trojan..." a Goatse member with the handle "Rucas" wrote.
In another exchange in the logs, Auernheimer writes: "This could be like, a future massive phishing operation serious like this is valuable data we have a list a potential complete list of AT&T iphone subscriber emails," to which Spitler responds: "ipad but yeah."
Among the iPad users who appeared to have been affected by the breach were White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson.