Two Arrested in Massive iPad Hack Attack

Jan. 18, 2011— -- Two men described as "Internet trolls" have been charged today with allegedly hacking AT&T's servers to obtain the information of 120,000 iPad users, including some boldface names like Hollywood mogul Harvey Weinstein, New York Mayor Michael Bloomberg and President Obama's former chief of staff.

Then they allegedly bragged about it.

The hack attack occurred during the initial release of Apple's tablet computer, court documents state.

Daniel Spitler, 26, of San Francisco and Andrew Auernheimer, 25, of Fayetteville, Ark., have each been charged with one count of fraud and one count of conspiracy to access a computer without authorization, the U.S. prosecutors announced today in Newark, N.J.

"Hacking is not a competitive sport, and security breaches are not a game. Companies that are hacked can suffer significant losses, and their customers made vulnerable to other crimes, privacy violations, and unwanted contact," U.S. Attorney Paul J. Fishman said.

According to the complaint filed by the FBI in Newark, Spitler and Auernheimer allegedly used a "brute force" hack tactic over several days last June on AT&T servers to uncover email addresses related to iPad accounts.

After the attack, the Website Gawker.com was allegedly supplied with information obtained during the hack from the group Goatse Security, described in the complaint as a "loose association of internet hackers" that Spitler and Auernheimer were both allegedly associated with.

A representative from Goatse responded to an ABC News inquiry over email, saying the group was standing behind the men.

"Goatse Security is behind Mr. Spitler and Mr. Auernheimer 100%," Leon Kaiser, head of public relations for Goatse Security said.

The court papers cite Gawker's report and state that roughly 120,000 emails were captured, including from luminaries like Bloomberg and Weinstein. In addition, emails from Obama's former chief of staff Rahm Emanuel, ABC News anchor Diane Sawyer, and a raft of emails allegedly associated with the Department of Defense were hacked into, the documents state.

According to the complaint, Auernheimer and Spitler talked about the hack in chat logs seized by the FBI. At one point Spitler allegedly claimed he "hit oil" as they uncovered the emails. Auernheimer allegedly took credit for the attack in an email he sent to the U.S. Attorney's office in New Jersey in November.

"AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders," he wrote, according to the complaint.

Arrests Made in AT&T Hack Attack

Goatse Security also maintains Spitler and Auernheimer did nothing wrong, according to Kaiser.

"Goatse Security still holds the position that no criminal act was committed. Spitler and Auernheimer acted entirely within the law, and entirely for the interests of public security. The flaw was quite literally stumbled upon; AT&T was never targeted, and upon gathering of the data, it was not sold, distributed, or used otherwise (although it certainly had the potential to be used quite maliciously)," Kaiser said.

"Under no circumstances was the data ever made public. It was only given to Gawker Media under the condition that it would be redacted, just as proof that the data had been leaked and this was not a fictitious claim. Had it not been released to the media in the way it was, it would have been swept under the rug and users would never have known," Kaiser said.

Despite claims the men were trying to guard user privacy by exposing the security flaw, the FBI saw the attack as purely criminal.

"Unauthorized intrusions into personal privacy adversely affect individual citizens, businesses, and even national security," said Michael Ward, special agent in charge of the FBI's Newark field office.

"Such intrusion cases, regardless of the motive is criminal gain or prestige among peers in the cyber-hacking world, must and will be aggressively pursued to ensure these rights are protected to the highest degree," Ward said.

In a 2008 interview with the New York Times, Auernheimer spoke about his hacker activities.

"I hack, I ruin, I make piles of money. I make people afraid for their lives," he said to the Times.

The two allegedly mused about gaining publicity for the hack. In more online conversations seized by the feds and put in the complaint they allegedly scheme about the best way to capture a reporter's attention.

"if we get 1 reporters address with this somehow we instantly have a story ... the best way tohave a leadin on it ... HI I STOLE YOUR EMAIL FROM AT &&T WANT TO KNOW HOW?" Auernheimer allegedly wrote to Spitler.

The men also allegedly went so far as to discuss making a profit over the breach in the stock market, with the defendants discussing delaying the announcement of the breach so they could short AT&T stock, the complaint says.

AT&T was left apologizing to the 120,000 iPad users, and the complaint says the company has spent roughly $73,000 so far to remedy the data breach.

According to the U.S. Attorney's office, Spitler surrendered today to the FBI in Newark and is scheduled to appear in federal court. Auernheimer is scheduled to appear in federal court in Fayetteville. Neither men have entered a plea and attorneys for both could not be reached for comment.