Paris Hilton Hack Started With Old-Fashioned Con

By Brian Krebs Staff Writer
Thursday, May 19, 2005; 3:24 PM

The caper had all the necessary ingredients to spark a media firestorm -- a beautiful socialite-turned-reality TV star, embarrassing photographs and messages, and the personal contact information of several young music and Hollywood celebrities.

When hotel heiress Paris Hilton found out in February that her high-tech wireless phone had been taken over by hackers, many assumed that only a technical mastermind could have pulled off such a feat. But as it turns out, a hacker involved in the privacy breach said, the Hilton saga began on a decidedly low-tech note -- with a simple phone call.

Computer security flaws played a role in the attack, which exploited a programming glitch in the Web site of Hilton's cell phone provider, Bellevue, Wash.-based T-Mobile International. But one young hacker who claimed to have been involved in the data theft said the crime only succeeded after one member of a small group of hackers tricked a T-Mobile employee into divulging information that only employees are supposed to know.

The young hacker described the exploit during online text conversations with a reporter and provided other evidence supporting his account, including screen shots of what he said were internal T-Mobile computer network pages. is not revealing the hacker's identity because he is a juvenile crime suspect and because he communicated with the reporter on the condition that he not be identified either directly or through his online alias.

A senior law enforcement official involved in the case said investigators believe the young hacker's group carried out the Paris Hilton data theft and was also involved in illegally downloading thousands of personal records from database giant LexisNexis Inc. The source asked not to be identified because of his role in this and other ongoing investigations.

A third source, a woman who has communicated with the hacker group's members for several years, also confirmed key portions of the young hacker's story and said she saw images and other information downloaded from Hilton's T-Mobile account hours before they were released on several Web sites.

T-Mobile declined to comment on the details of the hacker's account of the Paris Hilton incident, saying through a spokesman that the company cannot discuss an ongoing investigation. The spokesman said the company "will work with federal law enforcement agencies to investigate and prosecute anyone that attempts to gain unauthorized access to T-Mobile systems."

Getting Access

In the months leading up to the Hilton incident, the hacker group freely exploited a security glitch in the Web site of wireless phone giant T-Mobile, according to the hacker, who described himself as the youngest member of the group. The group had found that a tool on the T-Mobile site that allowed users to reset their account passwords contained a key programming flaw.

By exploiting the flaw, the group's members were able to gain access to the account of any T-Mobile subscriber who used a "Sidekick," a pricey phone-organizer-camera combination device that stores videos, photos and other data on T-Mobile's central computer servers.

The hackers could only exploit the Web site vulnerability if they actually knew a Sidekick user's phone number. The loose-knit group had grown bored of using the flaw to toy with friends and acquaintances who owned Sidekicks and decided to find a high-profile target, one that would ensure their exploits were reported in the press, the young hacker said. They ultimately settled on Hilton, in part because they knew she owned a Sidekick; Hilton had previously starred in a commercial advertising the device.

The group's members --- who range in age from their mid-teens to early 20s -- include a handful of "AOLers," a term used in hacker circles to describe youths who honed their skills over the years by tampering with various portions of the network run by Dulles, Va.-based America Online Inc. Four members of the group have all met face-to-face, but as with most hacking groups, the majority of their day-to-day interactions took place online.

Before gaining access to Hilton's wireless phone account, the group had spent a year studying weaknesses in T-Mobile's Web sites. The group member interviewed for this story had already written a simple computer program that could reset the password for any T-Mobile user whose phone number the hackers knew.

CONTINUED     1           >

© 2005 The Washington Post Company