U.S. Attorney Paul Fishman of New Jersey said Daniel Spitler, who works as a store detective at a Borders bookstore in San Francisco, surrendered to FBI agents in Newark this morning.
Spitler made an initial appearance before a federal magistrate in Newark and was released on $50,000 bail.
Magistrate Claire Cecchi barred him from having any access to computers while on bail except as needed for his job, said U.S. attorney spokeswoman Rebekah Carmichael.
Spitler and a second defendant, Andrew Auernheimer, 25, of Fayetteville, Ark., were both charged Jan. 13 in a federal criminal complaint with one count of conspiring to gain unauthorized access to computers and one count of fraudulently obtaining personal information.
Each count could carry a sentence of up to five years in prison upon conviction.
The two men, who described themselves in online chats as Internet “trolls,” are accused of exploiting a former flaw in AT&T Communications Inc. security to hack into the telephone company’s servers and obtain the e-mails of 120,000 people in June 2010.
The victims of the alleged scheme were iPad owners who used AT&T’s 3G network to gain access to the Internet. The men allegedly used a script they called “Account Slurper” to capture the email addresses, the complaint said.
An article posted on Gawker on June 9 alleged the victims included high-profile early adopters of the iPad in finance, politics and media, including New York Mayor Michael Bloomberg, ABC news anchor Diane Sawyer, and film mogul Harvey Weinstein.
Fishman said at a news conference today that there is no evidence the two men used the emails for criminal purposes, according to Carmichael, but emphasized the severity of the charges.
“Hacking is not a competitive sport, and security breaches are not a game,” Fishman said. “Computer instructions and the spread of malicious code are a threat to national security, corporate security and personal security.”
The iPad touchscreen computer tablet was introduced by Cupertino-based Apple Inc. in January 2010. The 3G wireless network used by many iPad owners is provided by AT&T Communications Inc., based in Bedminster, N.J.
Auernheimer was arrested in Fayetteville this morning. A U.S. magistrate in Arkansas ordered that he be held in custody until a detention hearing on Friday, Carmichael said.
The complaint, written by FBI Agent Christian Schole, said the two men were members of a group called Goatse Security, described by Schole as a loose association of hackers and self-professed “trolls.”
The complaint gives excerpts of alleged online chats that appear to suggest Spitler and Auernheimer considered an array of uses for the e-mails, including selling them to spammers, publicly exposing the flaw, and trying to make a profit on a possible drop in AT&T stock prices.
On June 5, Auernheimer allegedly wrote, “This could be like, a future massive phishing operation serious like this is valuable data we have a list a potential complete list of AT&T iphone subscriber emails.”
The next day, Spitler, referring to a new set of captured e-mail addresses wrote, “if I can get a couple thousand out of this set where can we drop this for max lols?”
But after the Gawker article appeared, the complaint alleges that “defendant Spitler was afflicted by ‘post-troll paranoia,'” and the two men talked about destroying the stolen data.
On June 10, Auernheimer allegedly wrote, “might be best to toss” the information.
Spitler answered, “yeah, I dont really give a fuck about it the troll is done.” Auernheimer responded, “yes we emerged victorious,” and Spitler added, “script is going byebye too,” the complaint said.
Carmichael said there is no information in the public records about whether the stolen emails were destroyed.
AT&T spokesman Mark Siegel said the security flaw was fixed in June.
“We take our customers’ privacy very seriously, and we cooperate with law enforcement whenever necessary to protect it,” Siegel said.
The complaint alleges that AT&T spent about $73,000 to remedy the data breach, including the cost of contacting all iPad 3G customers to inform them of the flaw and AT&T’s response.
Spitler’s defense attorney, Susan Cassell of Ridgewood, N.J., could not be reached for comment.
Julia Cheever, Bay City News