"The facts are simple. In June of 2010, Andrew Auernheimerís co-defendant Daniel Spitler discovered that AT&Tís servers were publishing email addresses of iPad subscribers on the servers authentication log in page when queried with a SIM card number that matched an existing AT&T subscriberís SIM card number. Upon discovering this, Spitler wrote an iterative script that queried AT&Tís publicly accessible iPad servers and copied over 120,000 email addresses. No password or any type of security was ever hacked, nor was any attempt ever made to hack any password or bypass any existing security measures. In essence, what Spitlerís script did could be done by anyone with a web browser who entered in the right combination of numbers into a URL," it is explained on a Computer Fraud and Abuse Defense Fund website.
"Auernheimer immediately went to the press with this information, and emailed some of the people whose email addresses were obtained. Neither Auernheimer nor Spitler did anything else with the information. At trial there was no evidence of any harm to anyone except for the allegation that AT&T was embarrassed by its failure to protect what it claimed was confidential information."
Despite all this, late last year Auernheimer has been found guilty on one count of identity fraud and one count of conspiracy to access a computer without authorization. After today's sentencing he was remanded to custody.
Auernheimer and Spitler were the only two members of the group to get charged for their role in the matter. Spitler pleaded guilty in 2011. Both have been ordered to pay AT&T $73,000 in damages.
When his prison stay ends, Auernheimer will still be required to be under supervision for three years.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.