Data Thefts May Be Linked
Warrants Served In LexisNexis Account Breach

By Brian Krebs
Special to The Washington Post
Friday, May 20, 2005

A computer break-in at database giant LexisNexis Group may be linked to members of a group of young hackers involved in the theft of revealing photos and celebrity contact numbers from the cell phone of hotel heiress Paris Hilton, a senior federal law enforcement official said.

Federal investigators this week seized computers and other evidence from several individuals across the country as part of a nationwide investigation of the LexisNexis breach, in which the intruders gained access to 310,000 personal records.

Three people targeted in the inquiry confirmed that federal investigators had served warrants at their homes. Authorities are investigating whether the suspects used e-mail pretending to contain child pornography to fool people into downloading software capable of capturing passwords and other information needed to infiltrate LexisNexis's computers, the law enforcement official said.

To make off with Hilton's cell phone data, a hacker apparently posed as a T-Mobile supervisor to get another employee to reveal a password into the company's network, and then group members exploited a software flaw in the system.

Among those whose homes were searched was a minor who has been in contact with a washingtonpost.com reporter and who said he was directly involved in both incidents.

Another of the three, Zach Mann, 18, of Maple Grove, Minn., said FBI and Secret Service personnel came to his home Monday and removed personal computers and dozens of computer disks.

"They came looking for anything connected with LexisNexis," Mann said before deferring further comment to his attorney, who confirmed that a federal search warrant had been executed at his client's address.

"They busted down the door and ran at me with guns pointed in my face," said Jason Hawks, 23, of Winston-Salem, N.C., in a telephone interview. He said he called 911 because he "saw people surrounding the house, and I thought it was burglars at first."

Hawks said agents pulled him outside on the front lawn and asked him questions about the LexisNexis intrusions. He said agents showed him a short list of names and asked whether he had looked them up on the LexisNexis service. Hawks said he had.

"I gave them everything they wanted to know, but they still played the 'good cop, bad cop' game," Hawks said. "They wanted to know whether I'd sold any of the information I saw, and I told them I didn't do any of that, that someone handed me a link and log-in and I just got caught up in it."

The minor, whose identity is not being revealed because he is a juvenile crime suspect and because he communicated with a washingtonpost.com reporter on condition of anonymity, said federal officials appeared at his home this week and seized his computer. He said investigators "got everybody" involved in the digital break-in.

Paul Bresson, an FBI spokesman in Washington, said federal search warrants in the LexisNexis case were served Monday and Tuesday in California, Minnesota and North Carolina.

The searches were divided between the FBI and Secret Service, Bresson said. Jonathan Cherry, a Secret Service spokesman, declined to comment on the case.

Bresson said the FBI was investigating whether hackers involved in the LexisNexis case might also be connected to the theft of information from a cell phone account owned by Hilton. But he said the FBI "does not know if that is true at this point."

In February, several Web sites published photos, some of them showing Hilton topless; private notes; and phone numbers of her celebrity friends.

Nine people were served search warrants by investigators, according to the federal law enforcement official, who would not be identified because of his role in this and other ongoing investigations. The official did not specify which members of the group may have been involved in the theft of Hilton's cell phone data.

The law enforcement source also said an arrest Tuesday of four people in Northern California was connected to the LexisNexis investigation. Special Agent Larae Quy at the FBI's San Francisco field office said four people were detained by Hayward, Calif., authorities on drug-related charges, but she did not confirm a connection to the LexisNexis investigation, saying the warrants had been sealed by a court order and that she was barred from discussing them.

Officials at the Washington headquarters of the FBI and Secret Service declined to comment.

The link between the LexisNexis and Paris Hilton investigations is supported by online conversations that a washingtonpost.com reporter had with the minor whose home was searched. The minor said he was involved in both intrusions and provided an image of what he said was a Web page that only T-Mobile employees would have access to, which allowed group members to retrieve Hilton's cell phone data. T-Mobile declined to comment.

He also provided an image that appeared to be a search-results screen that only a LexisNexis account holder would be able to see.

Officials from both companies declined to comment on the authenticity of the screen shots or on whether they could only have been taken by a person who had gained access to a restricted part of their online networks.

According to an account provided by the member of the hacker group -- and confirmed by the law enforcement source familiar with the case -- the LexisNexis break-in was set in motion by a blast of junk e-mail. Sometime in February a small group of hackers, many of whom knew each other only through online communications, sent out hundreds of e-mails with a message urging recipients to open an attached file to view pornographic images of children. The attachments had nothing to do with child porn; rather, the files contained a program that allowed the group's members to record anything a recipient typed on his or her computer keyboard.

According to the hacker, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing program, the officer logged on to his police department's account at Accurint, a LexisNexis service provided by Florida-based subsidiary Seisint Inc., which sells access to consumer data. Other officers' log-in information may have been similarly stolen, the law enforcement source said.

The young hacker said the group members then created a series of sub-accounts using the police department's name and billing information. Over several days, the hacker said the group looked up thousands of names in the database, including friends and celebrities. The law enforcement source said members of the group eventually began selling Social Security numbers and other sensitive consumer information to a ring of identity thieves in California. Washingtonpost.com has not been able to reach the young hacker to seek comment about the sale of personal information.

LexisNexis first disclosed the breach on March 9. At the time, Kurt P. Sanford, head of LexisNexis's corporate and federal markets groups, told The Washington Post that perpetrators used computer programs to generate IDs and passwords that matched those of legitimate customers. In other cases, he said, hackers appear to have collected IDs and passwords after using malicious programs to collect the information from infected machines as they were being used.

Krebs is a staff writer for washingtonpost.com. Washington Post staff writers Dan Eggen and Jonathan Krim contributed to this report.

© 2005 The Washington Post Company