By Jonathan Krim and David A. Vise Washington Post Staff Writers
Thursday, June 24, 2004; Page A01
A 24-year-old software engineer at America Online Inc. was arrested yesterday on federal charges that he hacked into the company's computers to steal 92 million e-mail addresses that were later sold and used to bombard AOL members with spam.
Jason Smathers, who worked at the company's Dulles headquarters, is accused of illegally obtaining the e-mail addresses of nearly all of the Internet provider's customers in May 2003. Smathers allegedly sold the names for $100,000 to Sean Dunaway, 21, who ran an Internet gambling business in Las Vegas, prosecutors said.
Dunaway then sold the list to unidentified spammers, who used it early this year to send millions of e-mails peddling herbal penile enhancement products, according to a criminal complaint filed in federal court in the Southern District of New York.
Smathers, who became an AOL employee in 1999, obtained other AOL member information as well, including telephone numbers, Zip codes and types of credit cards used by members, though not credit card numbers, according to the complaint. The company said those numbers are stored in a separate, secure facility.
The revelations come as AOL and other Internet providers have ramped up their efforts to track down the purveyors of spam, which has grown into a maddening scourge that costs consumers and businesses billions of dollars a year.
"I am very, very angry about this," said Jonathan F. Miller, AOL's chief executive, in an e-mail to employees yesterday. "We will absolutely not tolerate wrongdoing by employees. . . . We will do everything we can to uncover abuse and assist law enforcement in prosecuting it."
The company, which helped investigators surreptitiously monitor Smathers for the past two months, said in a statement that it is reviewing and strengthening its internal controls.
AOL uncovered the scheme after it filed suit in March against another spammer. In the course of that case, a source told an AOL official that one of its employees was stealing screen names from the company and selling them to a third party.
According to prosecutors, Smathers was not authorized to access AOL's customer database, which can be viewed by only a small number of employees and is "housed" in secure computers. But in May 2003, Smathers used the computerized employee identification code of another AOL worker to gain entry to the data and compile the lists of AOL's roughly 30 million users, many of whom maintain more than one screen name.
"I think I found the member database," Smathers wrote in an instant message to an unidentified person who used the handle The Brews. "There are going to be millions of them so, will take time to extract. I will do them a chunk at a time."