This is kinda scarey


Dormant account
Sep 25, 2003
Vancouver Island
AOL: Worker stole user IDs

Engineer accused of selling 92 million e-mail addresses


Washington Post

WASHINGTON - A 24-year-old software engineer at America Online Inc. was arrested Wednesday on federal charges that he hacked into the company's computers to steal 92 million e-mail addresses that were later sold and used to bombard AOL members with spam.

Jason Smathers, who was fired from his job at the company's Dulles, Va., headquarters, is accused of illegally obtaining the e-mail addresses of nearly all the Internet provider's customers in May 2003.

Smathers allegedly sold the names for $100,000 to Sean Dunaway, 21, who ran an Internet gambling business in Las Vegas, prosecutors said.

Dunaway then sold the list to unidentified spammers, who used it early this year to send millions of e-mails peddling herbal penile enhancement products, according to a criminal complaint filed in federal court in the Southern District of New York.

Smathers, who joined AOL in 1999, obtained other AOL member information as well, including telephone numbers, ZIP codes and types of credit cards used by members, though not credit card numbers. The company said those numbers are stored in a separate, secure facility.

The revelations come as AOL and other Internet providers have ramped up efforts to track down purveyors of spam, which has grown into a maddening scourge that costs consumers and businesses billions of dollars a year.

"I am very, very angry about this," said Jonathan Miller, AOL's chief executive, in an e-mail to employees Wednesday. "We will absolutely not tolerate wrongdoing by employees. ... We will do everything we can to uncover abuse and assist law enforcement in prosecuting it."

The company, which helped investigators surreptitiously monitor Smathers for the past two months, said in a statement it is reviewing and strengthening its internal controls.

AOL uncovered the scheme after it filed suit in March against another spammer. In the course of that case, a source told an AOL official that one of its employees was stealing screen names from the company and selling them to a third party.

According to prosecutors, Smathers was not authorized to access AOL's customer database, which can be viewed by only a small number of employees and is "housed" in secure computers.

But in May 2003, Smathers reportedly used the computerized employee identification code of another AOL worker to gain entry to the data and compile the lists of AOL's roughly 30 million users, many of whom maintain more than one screen name.

"I think I found the member database," Smathers wrote in an instant message to an unidentified person who used the handle The Brews. "There are going to be millions of them so, will take time to extract. I will do them a chunk at a time."

The text of the instant message was in an e-mail found by investigators, including Secret Service members, on a company laptop belonging to Smathers. Computer logs also showed that Smathers apparently was able to get access to the data from his home in Harpers Ferry, W.Va.

The informant who alerted AOL to the scheme told investigators that roughly a month after Smathers accessed the data, Dunaway sold him the 92 million names in 26 separate blocks, one for each letter of the alphabet, for $52,000. He provided investigators with CD-ROMs containing the lists, which matched the way the data was stored by AOL.

The source told investigators that early this year, he bought a revised list from Dunaway for about $32,500. That list was much smaller, about 18 million screen names, and Dunaway said it was more up-to-date and "a more risky proposition for his AOL insider to obtain" because it had other subscriber data, according to the complaint.

Prosecutors said Dunaway boasted that spamming for his Internet gambling business was earning between $10,000 and $20,000 a day.

Smathers was arrested Wednesday morning at his home and made an initial appearance in federal court in Alexandria, Va., then was held in jail overnight, pending a detention hearing scheduled for today.

He was assigned a public defender, who did not comment.

Dunaway was arrested Wednesday at his home in Las Vegas.

The charges against both men include conspiring to transport stolen goods across state lines, gaining unauthorized access to computers and sending out deceptive bulk e-mail with disguised origins.

The two men each face a maximum sentence of five years in prison and a fine of $250,000.
I recommend capital punshiment for these clowns!


Users who are viewing this thread

Meister Ratings