IE 11 is not supported. For an optimal experience visit our site on another browser.

AOL customer list stolen, sold to spammer

A former AOL employee was charged Wednesday with stealing the Internet provider's entire subscriber list and selling it to a spammer.
/ Source: msnbc.com

A former AOL employee was charged Wednesday with stealing the Internet provider's entire subscriber list -- over 30 million consumers, and their 90 million screen names -- and selling it to a spammer.

The employee, a 24-year-old software engineer named Jason Smathers, was arrested Wednesday at his residence in Harpers Ferry, W.Va., according to the U.S. Attorney's Office in the Southern District of New York. 

According to a complaint filed before Judge Andrew J. Peck, Smathers accessed AOL's subscriber list in May 2003, then sold the list to 21-year-old Las Vegas resident Sean Dunaway for an unknown sum. Dunaway was also arrested Wednesday.

Authorities allege Dunaway used the list to promote his Internet gambling business, and then resold it to another spammer for $52,000. That spammer, who isn't named in the complaint, eventually agreed to cooperate with authorities and fingered Dunaway to U.S. Secret Service Agent Peter Cavicchia, hoping for leniency from government prosecutors.

The unnamed spammer admitted to using the AOL e-mail addresses to send e-mail marketing herbal penile enlargement pills. The spammer also told authorities than Dunaway claimed to be making $10,000 to $20,000 per day from his Internet gambling business.

AOL said no users will be forced to change their e-mail address because of the theft. Instead, the company will simply continue to attempt to block spam before it hits users.

"What we are doing for consumers is cooperating with law enforcement," said Nicholas Graham, AOL spokesman. "AOL members can rely on us to tighten our filters, get them more tools to fight spam, and file lawsuits against spammers. Our anti-spam efforts are still hitting on all cylinders."

Other personal data also stolen
According to the complaint, information on AOL's 30 million subscribers is maintained in the company's "Data Warehouse," and access is limited to a small number of employees. Smathers, who worked at the firm's Dulles office, didn't have access to the data, but he impersonated another employee to reach it, the complaint says.

Smathers, who had worked at AOL since 1999, got more than screen names, according to the complaint. He also allegedly stole related zip codes, credit card types and telephone numbers. But he did not get credit card numbers, the complaint says, because they are stored separately by the company.

A search of Smather's employee computer last month revealed electronic conversations he had with Dunaway describing the heist, according to the government. After stealing the entire screen name database in May 2003, Smathers went back and got an update in March 2004, taking another 18 million screen names. Dunaway paid $100,000 to Smathers for the updated list, and later sold it to the unnamed spammer for $32,000.

During their investigation, AOL technicians discovered a telling file on Smathers' computer, which included a conversation between Smathers and a correspondent named "The Brews." Initially, the correspondent complains that most spam lists include many fake and invalid AOL addresses.

"Well . . . it would be different if you mailed current AOL members. But the lists I use, and others have used, are just collected lists where people have to enter their emails and all there is thousands and thousands of fake emails. If you have a database of REAL emails, that were fresh, the ratio of sign ups would be sooo much greater. If you have any ideas on bulk mailing with AOL lol let me know and I can get you a program set up in a heart beat. heh.”

To that, Smathers replied: "Well I’ll check it out ... It isn’t going to be easy. I think I found the member database ... Just need to figure out how to get the SNs [screen names] it is spread over like 30 computers ... You can’t talk about this."

But later, he added, "OK, I got it figured out ... there are going to be millions of them so, will take time to extract I will do them a chunk at a time ... because 37 million accounts have up to 7 screen names per account I’d expect there to be around 100 million active screen names4 maybe more."

Both face up to five years in prison, the complaint says.