A 24-year-old software engineer at America Online Inc. was arrested yesterday on federal charges that he hacked into the company's computers to steal 92 million e-mail addresses that were later sold and used to bombard AOL members with spam.
Jason Smathers, who worked at the company's Dulles headquarters, is accused of illegally obtaining the e-mail addresses of nearly all of the Internet provider's customers in May 2003. Smathers allegedly sold the names for $100,000 to Sean Dunaway, 21, who ran an Internet gambling business in Las Vegas, prosecutors said.
Dunaway then sold the list to unidentified spammers, who used it early this year to send millions of e-mails peddling herbal penile enhancement products, according to a criminal complaint filed in federal court in the Southern District of New York.
Smathers, who became an AOL employee in 1999, obtained other AOL member information as well, including telephone numbers, Zip codes and types of credit cards used by members, though not credit card numbers, according to the complaint. The company said those numbers are stored in a separate, secure facility.
The revelations come as AOL and other Internet providers have ramped up their efforts to track down the purveyors of spam, which has grown into a maddening scourge that costs consumers and businesses billions of dollars a year.
"I am very, very angry about this," said Jonathan F. Miller, AOL's chief executive, in an e-mail to employees yesterday. "We will absolutely not tolerate wrongdoing by employees. . . . We will do everything we can to uncover abuse and assist law enforcement in prosecuting it."
The company, which helped investigators surreptitiously monitor Smathers for the past two months, said in a statement that it is reviewing and strengthening its internal controls.
AOL uncovered the scheme after it filed suit in March against another spammer. In the course of that case, a source told an AOL official that one of its employees was stealing screen names from the company and selling them to a third party.
According to prosecutors, Smathers was not authorized to access AOL's customer database, which can be viewed by only a small number of employees and is "housed" in secure computers. But in May 2003, Smathers used the computerized employee identification code of another AOL worker to gain entry to the data and compile the lists of AOL's roughly 30 million users, many of whom maintain more than one screen name.
"I think I found the member database," Smathers wrote in an instant message to an unidentified person who used the handle The Brews. "There are going to be millions of them so, will take time to extract. I will do them a chunk at a time."
The text of the instant message was in an e-mail found by investigators, including Secret Service members, on a company laptop belonging to Smathers. Computer logs also showed that Smathers apparently was also able to get access to the data from his home in Harpers Ferry, W. Va.
The informant who alerted AOL to the scheme told investigators that roughly a month after Smathers accessed the data, Dunaway sold him the 92 million names in 26 separate blocks, one for each letter of the alphabet, for $52,000. He provided investigators with CD-ROMs containing the lists, which matched the way the data was stored by AOL.
The source told investigators that early this year he bought a revised list from Dunaway for roughly $32,500. That list was much smaller, about 18 million screen names, and Dunaway said it was more up to date and "a more risky proposition for his AOL insider to obtain" because it had other subscriber data, according to the complaint.
Prosecutors said Dunaway boasted that spamming for his Internet gambling business was earning between $10,000 and $20,000 a day. Smathers was arrested yesterday morning at his home, made an initial appearance in federal court in Alexandria and was held in jail overnight, pending a detention hearing scheduled for today. He was assigned a public defender, who declined to comment.
Dunaway was arrested yesterday at his home in Las Vegas.
The charges against both men include conspiring to transport stolen goods across state lines, gaining unauthorized access to computers and sending out deceptive bulk e-mail with disguised origins.
Each man faces a maximum sentence of five years in prison and a fine of $250,000.
The government said that the source was cooperating in hopes of winning leniency and that his information has been independently corroborated.
"It is a very disturbing fact of life that an employee with criminal intentions can betray our members' trust by working around systems and procedures that are in place to protect data from disclosure," AOL said in statement.
Staff writer Jerry Markon contributed to this report.