[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] AOL Employee Charged in Theft Of Screen Names
[The Smoking Gun has the amended complaint at:
http://www.thesmokinggun.com/archive/0623042aol1.html - WK]
By Jonathan Krim and David A. Vise
Washington Post Staff Writers
June 24, 2004
A 24-year-old software engineer at America Online Inc. was arrested
yesterday on federal charges that he hacked into the company's
computers to steal 92 million e-mail addresses that were later sold
and used to bombard AOL members with spam.
Jason Smathers, who worked at the company's Dulles headquarters, is
accused of illegally obtaining the e-mail addresses of nearly all of
the Internet provider's customers in May 2003. Smathers allegedly sold
the names for $100,000 to Sean Dunaway, 21, who ran an Internet
gambling business in Las Vegas, prosecutors said.
Dunaway then sold the list to unidentified spammers, who used it early
this year to send millions of e-mails peddling herbal penile
enhancement products, according to a criminal complaint filed in
federal court in the Southern District of New York.
Smathers, who became an AOL employee in 1999, obtained other AOL
member information as well, including telephone numbers, Zip codes and
types of credit cards used by members, though not credit card numbers,
according to the complaint. The company said those numbers are stored
in a separate, secure facility.
The revelations come as AOL and other Internet providers have ramped
up their efforts to track down the purveyors of spam, which has grown
into a maddening scourge that costs consumers and businesses billions
of dollars a year.
"I am very, very angry about this," said Jonathan F. Miller, AOL's
chief executive, in an e-mail to employees yesterday. "We will
absolutely not tolerate wrongdoing by employees. . . . We will do
everything we can to uncover abuse and assist law enforcement in
The company, which helped investigators surreptitiously monitor
Smathers for the past two months, said in a statement that it is
reviewing and strengthening its internal controls.
AOL uncovered the scheme after it filed suit in March against another
spammer. In the course of that case, a source told an AOL official
that one of its employees was stealing screen names from the company
and selling them to a third party.
According to prosecutors, Smathers was not authorized to access AOL's
customer database, which can be viewed by only a small number of
employees and is "housed" in secure computers. But in May 2003,
Smathers used the computerized employee identification code of another
AOL worker to gain entry to the data and compile the lists of AOL's
roughly 30 million users, many of whom maintain more than one screen
"I think I found the member database," Smathers wrote in an instant
message to an unidentified person who used the handle The Brews.
"There are going to be millions of them so, will take time to extract.
I will do them a chunk at a time."
The text of the instant message was in an e-mail found by
investigators, including Secret Service members, on a company laptop
belonging to Smathers. Computer logs also showed that Smathers
apparently was also able to get access to the data from his home in
Harpers Ferry, W. Va.
The informant who alerted AOL to the scheme told investigators that
roughly a month after Smathers accessed the data, Dunaway sold him the
92 million names in 26 separate blocks, one for each letter of the
alphabet, for $52,000. He provided investigators with CD-ROMs
containing the lists, which matched the way the data was stored by
The source told investigators that early this year he bought a revised
list from Dunaway for roughly $32,500. That list was much smaller,
about 18 million screen names, and Dunaway said it was more up to date
and "a more risky proposition for his AOL insider to obtain" because
it had other subscriber data, according to the complaint.
Prosecutors said Dunaway boasted that spamming for his Internet
gambling business was earning between $10,000 and $20,000 a day.
Smathers was arrested yesterday morning at his home, made an initial
appearance in federal court in Alexandria and was held in jail
overnight, pending a detention hearing scheduled for today. He was
assigned a public defender, who declined to comment.
Dunaway was arrested yesterday at his home in Las Vegas.
The charges against both men include conspiring to transport stolen
goods across state lines, gaining unauthorized access to computers and
sending out deceptive bulk e-mail with disguised origins.
Each man faces a maximum sentence of five years in prison and a fine
The government said that the source was cooperating in hopes of
winning leniency and that his information has been independently
"It is a very disturbing fact of life that an employee with criminal
intentions can betray our members' trust by working around systems and
procedures that are in place to protect data from disclosure," AOL
said in statement.
Staff writer Jerry Markon contributed to this report
ISN mailing list
Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
(Broke? Spend 15 minutes a day on the project!)