AT&T iPad hacker pleads guilty

Last year, he helped obtain 120,000 iPad users' e-mail addresses and other information

A 26-year-old man who last year helped hackers publish personal information belonging to about 120,000 iPad users pleaded guilty to fraud and hacking charges in a New Jersey court Thursday.

A 26-year-old man who last year helped hackers steal personal information belonging to about 120,000 iPad users pleaded guilty to fraud and hacking charges in a New Jersey court Thursday.

BACKGROUND: AT&T iPad hackers' chats were turned in by secret source

Daniel Spitler pleaded guilty in federal court to two felony charges, according to Rebekah Carmichael, a spokeswoman with the U.S. Department of Justice. He faces a maximum of 10 years in prison on the charges, but his plea agreement recommends a 12- to 18-month sentence.

He is one of two men charged in the June 2010 incident that embarrassed Apple and AT&T and brought the hacking group, Goatse Security, international attention. The other man, Andrew Auernheimer, is still in negotiations over a plea agreement, according to court records. Both men are facing charges in the U.S. District Court for the District of New Jersey.

At the time of the incident, Goatse hackers claimed that they were merely trying to make AT&T aware of a security issue on its website. They discovered that anyone could query the site and learn the e-mail addresses and unique ICC-ID (integrated circuit card identifier) numbers belonging to the iPad users.

According to reports and court filings, they wrote a script that guessed the ICC-ID numbers (used to identify the iPad's SIM card) and then queried AT&T's website until it returned an e-mail address. Spitler had been accused of co-authoring this software, called "iPad 3G Account Slurper."

The group uncovered e-mail addresses belonging to members of the military, politicians and business leaders including New York Mayor Michael Bloomberg and former White House Chief of Staff Rahm Emanuel.

The incident became a huge embarrassment for AT&T after Auernheimer and Spitler handed their findings over to a reporter at Gawker.com.

In interviews after the hack, Auernheimer said his group had notified AT&T about the issue. But online chat logs filed in court by the prosecution cast doubt on that claim. "[Y]ou DID call tech support right?" asked one hacker, named Nstyr, in a chat log excerpt obtained by prosecutors. "[T]otally but not really," Auernheimer replied. "[I] don't... care [I] hope they sue me."

In other chat log excerpts, Spitler and Auernheimer appear to be publicizing their data in order to cause the maximum amount of embarrassment to the companies involved -- for "lols," in hacker-speak. At one point, Spitler asks Auernheimer, "where can we drop this for max lols?"

On Thursday Goatse spokesman Leon Kaiser said iPad users would have faced serious consequences if the group hadn't gone public with its information. "Goatse Securities' disclosure process was kinder and safer than many well-respected security researchers," he said in an e-mail message. "AT&T refused to take responsibility for this gaping hole, and instead decided to take it out on two of our own in order to save face."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Learn more about this topic

Anonymous, LulzSec bring bragging rights back to hacking, CTO says

LulzSec members to be outed by Netherlands hacking group

As iPad sales boom, Gartner downgrades PC forecast

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies