* Data from about 120,000 iPad users allegedly stolen
* US says “account slurper” used for “brute force attack”
* iPad users said to use AT&T’s 3G network (Adds bail, Apple iPad sales)
By Jonathan Stempel
NEW YORK, Jan 18 (Reuters) - U.S. prosecutors have charged two men with stealing and distributing email addresses for about 120,000 users of Apple Inc’s (AAPL.O) popular iPad.
Investigators accused Daniel Spitler and Andrew Auernheimer of using an “account slurper” to conduct a “brute force” attack over five days last June, to extract data about iPad users who accessed the Internet through AT&T Inc’s (T.N) 3G network.
Among the possible victims were celebrities, businesses executives and government officials such as New York City Mayor Michael Bloomberg, ABC News (DIS.N) anchor Diane Sawyer, movie mogul Harvey Weinstein and perhaps then-White House Chief of Staff Rahm Emanuel, prosecutors said.
Spitler, 26, and Auernheimer, 25, were taken into custody by FBI agents on Tuesday morning, U.S. Attorney Paul Fishman in New Jersey said in a statement.
Prosecutors said both defendants are associated with Goatse Security, a group of “self-professed Internet ‘trolls’” who try to disrupt online content and services. They said Auernheimer bragged in published interviews about his trolling.
“Hacking is not a competitive sport, and security breaches are not a game,” Fishman said. “Companies that are hacked can suffer significant losses, and their customers made vulnerable to other crimes, privacy violations and unwanted contact.”
The defendants were each charged with one count of fraud and one count of conspiracy to access a computer without authorization. Each charge carries a maximum punishment of five years in prison plus a $250,000 fine.
Bail was set at $50,000 for Spitler, a resident of San Francisco, at a hearing in the federal court in Newark, New Jersey. Auernheimer was detained pending a Jan. 21 hearing at the federal court in his hometown of Fayetteville, Arkansas.
Lawyers for both defendants were not immediately available to comment. Apple spokeswoman Trudy Muller declined to comment. AT&T spokesman Mark Siegel said that company cooperates with law enforcement when necessary to protect customer privacy.
Responding to an email request to Goatse for comment, Sam Hocevar, a member of Goatse’s “team,” according to the group’s website, confirmed the charges relate to the June hacking. He said he did not have additional information.
Apple launched the iPad last April. On Tuesday, it reported sales of 7.33 million of the tablet computers in its quarter ended Dec. 25, which included the holiday shopping season.
According to the complaint, the account slurper randomly guessed at data held on AT&T’s servers until it could match names with emails.
The defendants then supplied stolen data to gossip website Gawker, which published some details, the complaint said.
“Having email addresses by itself is not much of a threat: people give them out all the time, and spammers can and do guess them easily,” said Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University.
“It is more an issue if you can pair addresses with places of employment, such as government agencies,” he added. “Then it becomes possible to collect further information, and perhaps get a toehold into Google, Bing or other information sources.”
AT&T was Apple’s partner in the United States to provide wireless service on the iPad. After the hacking, it shut off the feature that allowed email addresses to be obtained.
The case “has hopefully awakened users to the value of a simple email address,” said Jamz Yaneza, a threat research manager at Internet security company Trend Micro Inc (4704.T).
The case is U.S. v. Spitler et al, U.S. District Court, District of New Jersey, No. 11-mag-04022. (Reporting by Jonathan Stempel in New York; additional reporting by Sinead Carew; editing by Dave Zimmerman, Derek Caney, Steve Orlofsky and Andre Grenon)