Hacker found guilty of AT&T data breach

A hacker has been convicted of the AT&T security breach in 2010 in which 120,000 iPad owners’ email addresses were leaked.

Andrew ‘Weev’ Auernheimer, 26, has been found guilty in the District Court in New Jersey of conspiracy to access a computer without authorization and fraud in connection with personal information. He’ll be sentenced in February, and faces up to five years in prison on each count.

Daniel Spitler, 26, was convicted of the same offenses in June 2011.

Auernheimer says he plans to appeal, on the grounds that he didn’t bypass any security on the AT&T site in order to capture the data.

Instead, the pair carried out their attack using an ‘account slurper’, which blasted AT&T servers with random sets of login info, harvesting successful combinations.

This was possible because, until mid-June 2010, AT&T automatically linked an iPad 3G user’s email address to the Integrated Circuit Card Identifier (ICC-ID) – a unique number associated with individual iPads. The aim was to give faster, more user-friendly access to the site – for which read ‘faster, more hacker-friendly’.

The pair, members of the Goatse Security hacking group, claimed that they were simply trying to help AT&T with its security – although they don’t seem to have alerted the company before publishing the data. There was, though, no evidence that they used the data for criminal purposes.

The email addresses included those belonging to New York Mayor Michael Bloomberg and former White House Chief of Staff Rahm Emanuel.