Last year, hackers were able to steal the user data of about 120,000 iPad users by using software to trick AT&T’s website into thinking it was being queried by Apple’s mobile device. Today, one of the two men charged in the case pleaded guilty to the charges in New Jersey and Texas.
Twenty six-year-old Daniel Spitler pleaded guilty to two felony charges in the case, according to a story from PC World, and has a recommended sentence of 12 to 18 months in prison thanks to a plea agreement. He faces as much as 10 years in prison, however, which depends on the decision of the judge.
Spitler was charged along with another man, Andrew Auernheimer, in June 2010. Auernheimer is still working out a plea agreement with prosecutors. The two men were arrested after discovering a security loophole in AT&T’s website, which they claimed they were trying to bring to the company’s attention by exploiting it. They found that anyone was able to query the site with an iPad’s ICC-ID number, which is used to identify the device’s SIM card, and receive an email address for the device’s user.
The hackers allegedly created a software script that would just guess at iPad’s ICC-ID numbers and send them through to AT&T’s site. Spitler had been accused of co-authoring it and he pleaded guilty. When the numbers were correct, the site would kick back an email address, allowing the hackers to pull down all kinds of addresses from lots of users. Among the addresses they managed to snag were those belonging to military personnel, as well as former White House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg.
The hacker group Spitler and Auernheimer allegedly were a part of, Goatse Security, claimed it attempted to make AT&T aware of the security breach, although chat room logs used as evidence in the case suggested that Auernheimer actually never did contact AT&T about the breach. But Goatse did embarrass AT&T by sharing the data it had stolen with a reporter from the tech blog Gawker.com.