Hacker Pleads Guilty to Infiltrating AT&T Servers, iPad Data Breach
Defendant Stole E-Mail Addresses and Personal Information Belonging to 120,000 Apple iPad 3G Subscribers

NEWARK, NJ—A computer hacker who helped write the malicious code behind a breach of AT&T’s computer servers admitted today to conspiring to hack into the servers, steal information regarding iPad subscribers, and publicize the crime, U.S. Attorney Paul J. Fishman announced.

Daniel Spitler, 26, of San Francisco, Calif., pleaded guilty to an Information charging him with one count of conspiracy to gain unauthorized access to computers connected to the Internet and one count of identity theft. Spitler surrendered to FBI agents on January 18, 2011, and was originally charged by Complaint with the conspiracy. Spitler entered his guilty plea before U.S. District Judge Susan D. Wigenton this afternoon in Newark federal court.

“Computer hackers are exacting an increasing toll on our society, damaging individuals and organizations to gain notoriety for themselves,” said U.S. Attorney Fishman. “Hacks have serious implications—from the personal devastation of a stolen identity to danger to our national security. In the wake of other recent hacking attacks by loose-knit organizations like Anonymous and LulzSec, Daniel Spitler’s guilty plea is a timely reminder of the consequences of treating criminal activity as a competitive sport.”

“The magnitude of this crime affected everyone from high ranking members of the White House staff to the average American citizen,” said Michael B. Ward, Special Agent In Charge of the FBI’s Newark Division. “It’s important to note that it wasn’t just the hacking itself that was criminal, but what could potentially occur utilizing the pilfered information. Because of the popularity and widespread use of the new and emerging technology of the iPad and devices like it, it was absolutely critical that emerging threats to it were addressed promptly and aggressively. The FBI’s Cyber Crimes Task Force did so by remaining on the cutting edge of computer forensics, quickly zeroing in on the perpetrators who mistakenly believed they were hidden behind a cloak of cyberspace, ultimately exposing them to justice and the world.”

According to documents filed in this case and statements made in Newark federal court:

Spitler admitted that he was a member of an organization known as Goatse Security, which, according to its website, is a loose association of Internet hackers and self-professed Internet “trolls”—people who intentionally, and without authorization, disrupt services and content on the Internet.

Prior to mid-June 2010, AT&T automatically linked an iPad 3G user’s e-mail address to the Integrated Circuit Card Identifier (“ICC-ID”), a number unique to the user’s iPad, when the user registered. As a result, every time a user accessed the AT&T website, his or her ICC-ID was recognized and his or her e-mail address was automatically populated for faster, user-friendly access to the site. AT&T kept the ICC-IDs and associated e-mail addresses confidential.

Seeing this, and discovering that each ICC-ID was connected to an iPad 3G user e-mail address, hackers, including Spitler, wrote a script termed the “iPad 3G Account Slurper” and deployed it against AT&T’s servers.

The Account Slurper attacked AT&T’s servers for several days in early June 2010, and was designed to harvest as many ICC-ID/e-mail address pairings as possible. It worked by mimicking the behavior of an iPad 3G so that AT&T’s servers would be fooled into granting the Account Slurper access. Once deployed, the Account Slurper used a process known as a “brute force” attack—an iterative process used to obtain information from a computer system—against the servers, randomly guessing at ranges of ICC-IDs. An incorrect guess was met with no additional information, while a correct guess was rewarded with an ICC-ID/e-mail pairing for a specific, identifiable iPad 3G user.

Spitler admitted to communicating during the data breach with his co-defendant, Andrew Auernheimer, 25, who was arrested January 18, 2011, in Fayetteville, Ark., while appearing in state court on unrelated drug charges. The two wrote each other during the breach using Internet Relay Chat, an Internet instant messaging program. Those chats included discussions between Spitler, Auernheimer, and other Goatse Security members about the best way to take advantage of the breach and associated theft.

Immediately following the theft, the hacker-authors of the Account Slurper provided the stolen e-mail addresses and ICC-IDs to the website Gawker, which published the stolen information in redacted form, along with an article concerning the breach. The article indicated that the breach “exposed the most exclusive e-mail list on the planet,” and named a number of famous individuals whose e-mails had been compromised, including Diane Sawyer, Harvey Weinstein, Mayor Michael Bloomberg, and Rahm Emanuel. The article also stated that iPad users could be vulnerable to spam marketing and malicious hacking.

On June 10, 2010, immediately after publicizing the breach, Spitler and Auernheimer discussed destroying evidence of their crime.

The charges to which Spitler pleaded guilty each carry a maximum potential penalty of five years in prison and a $250,000 fine. Sentencing is currently scheduled for September 28, 2011.

U.S. Attorney Fishman credited special agents of the FBI’s Newark Cyber Crimes Task Force, under the direction of Special Agent in Charge Michael B. Ward in Newark, with the investigation leading to the charges; as well the forensic examiners of the New Jersey Regional Computer Forensics Laboratory and the New Jersey Division of Criminal Justice. He also thanked special agents of the FBI’s Little Rock, Arkansas Divison, Fayetteville Resident Agency, under the direction of Special Agent in Charge Valerie Parlave; and the San Francsiso Division, under the direction of Special Agent In Charge Stephanie Douglas. U.S. Attorney Fishman also recognized the U.S. Attorney’s Office for the Western District of Arkansas, under the direction of U.S. Attorney William Conner Eldridge.

The government is represented by Assistant U.S. Attorney Zach Intrater of the Computer Hacking and Intellectual Property Section of the U.S. Attorney’s Office Economic Crimes Unit in Newark.

As for Auernheimer, the charges and allegations contained in the Complaint are merely accusations, and the defendant is presumed innocent unless and until proven guilty.

Defense counsel: Susan C. Cassell Esq., Ridgewood, N.J.