* Data from about 120,000 iPad users allegedly stolen
* US says "account slurper" used for "brute force attack"
* iPad users said to use AT&T's 3G network
(Adds bail, Apple iPad sales)
By Jonathan Stempel
NEW YORK, Jan 18 U.S. prosecutors have charged
two men with stealing and distributing email addresses for
about 120,000 users of Apple Inc's (AAPL.O) popular iPad.
Investigators accused Daniel Spitler and Andrew Auernheimer
of using an "account slurper" to conduct a "brute force" attack
over five days last June, to extract data about iPad users who
accessed the Internet through AT&T Inc's (T.N) 3G network.
Among the possible victims were celebrities, businesses
executives and government officials such as New York City Mayor
Michael Bloomberg, ABC News (DIS.N) anchor Diane Sawyer, movie
mogul Harvey Weinstein and perhaps then-White House Chief of
Staff Rahm Emanuel, prosecutors said.
Spitler, 26, and Auernheimer, 25, were taken into custody
by FBI agents on Tuesday morning, U.S. Attorney Paul Fishman in
New Jersey said in a statement.
Prosecutors said both defendants are associated with Goatse
Security, a group of "self-professed Internet 'trolls'" who try
to disrupt online content and services. They said Auernheimer
bragged in published interviews about his trolling.
"Hacking is not a competitive sport, and security breaches
are not a game," Fishman said. "Companies that are hacked can
suffer significant losses, and their customers made vulnerable
to other crimes, privacy violations and unwanted contact."
The defendants were each charged with one count of fraud
and one count of conspiracy to access a computer without
authorization. Each charge carries a maximum punishment of five
years in prison plus a $250,000 fine.
Bail was set at $50,000 for Spitler, a resident of San
Francisco, at a hearing in the federal court in Newark, New
Jersey. Auernheimer was detained pending a Jan. 21 hearing at
the federal court in his hometown of Fayetteville, Arkansas.
Lawyers for both defendants were not immediately available
to comment. Apple spokeswoman Trudy Muller declined to comment.
AT&T spokesman Mark Siegel said that company cooperates with
law enforcement when necessary to protect customer privacy.
Responding to an email request to Goatse for comment, Sam
Hocevar, a member of Goatse's "team," according to the group's
website, confirmed the charges relate to the June hacking. He
said he did not have additional information.
Apple launched the iPad last April. On Tuesday, it reported
sales of 7.33 million of the tablet computers in its quarter
ended Dec. 25, which included the holiday shopping season.
According to the complaint, the account slurper randomly
guessed at data held on AT&T's servers until it could match
names with emails.
The defendants then supplied stolen data to gossip website
Gawker, which published some details, the complaint said.
"Having email addresses by itself is not much of a threat:
people give them out all the time, and spammers can and do
guess them easily," said Eugene Spafford, executive director of
the Center for Education and Research in Information Assurance
and Security at Purdue University.
"It is more an issue if you can pair addresses with places
of employment, such as government agencies," he added. "Then it
becomes possible to collect further information, and perhaps
get a toehold into Google, Bing or other information sources."
AT&T was Apple's partner in the United States to provide
wireless service on the iPad. After the hacking, it shut off
the feature that allowed email addresses to be obtained.
The case "has hopefully awakened users to the value of a
simple email address," said Jamz Yaneza, a threat research
manager at Internet security company Trend Micro Inc (4704.T).
The case is U.S. v. Spitler et al, U.S. District Court,
District of New Jersey, No. 11-mag-04022.
(Reporting by Jonathan Stempel in New York; additional
reporting by Sinead Carew; editing by Dave Zimmerman, Derek
Caney, Steve Orlofsky and Andre Grenon)