Slashdot Mirror


AOL Employee Arrested in Spam Scheme

LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."

7 of 428 comments (clear)

  1. Security? by shadowkoder · · Score: 5, Insightful

    You would think there would be limitations on HOW an employee could access such a large database. I mean, does AOL throw out CDs with conveniently formatted lists of all the screen names of its customers?

    1. Re:Security? by isthisthingon · · Score: 5, Insightful
      Hmmm...just a guess, but it probably went something like this:
      SELECT *
      FROM customer_list
      ORDER BY last_name ASC;
      [zoom to scene of employee nervously looking over his shoulder and tapping his fingers impatiently]

      92,213,798 rows returned.

      [employee thinks to self]: "Dude! Cool! Bonus! We only had 91,125,553 last time I ran this. I'll have to thank the marketing department for sending out those CDs!"
      --
      And then one day you find, ten years have gone behind you....
  2. Double standards.. by BlueLines · · Score: 5, Insightful

    ..didn't a bunch of airlines admit to (basically) the same thing? no arrests there..

    --
    --BlueLines "The cost of living hasn't affected it's popularity." -anonymous
  3. And this is the inherent problem . . . by kfg · · Score: 5, Insightful

    with large, easily searched and copied databases of highly consolidated private data.

    The primary issue to be feared is not that someone who isn't trusted with the data will get ahold of it, but that someone who is trusted with the data will turn out to be untrustworthy.

    The same goes for backdoors. I'm not half so worried about some script kiddie hacking my router as I am some employee/former employee of Cisco simply walking right in.

    KFG

  4. Re:Fired? by Motherfucking+Shit · · Score: 5, Insightful
    Aren't we supposed to wait for someone to be found guilty before punishing them?
    My guess, and this is only a guess, is that Mr. Smathers was almost certainly confronted by HR or security (do they still call it OpsSec?). My second guess is that he probably admitted what he did.

    In any case, AOL doesn't have an opportunity to wait around and find out whether or not this guy is guilty in a court of law. This is a huge privacy breach affecting millions of people. According to CNN's version of the story, not only did the list contain screen names, it also had each user's telephone number, ZIP code, etc. AOL has no choice but to take immediate and harsh action, i.e. terminating the employee and alerting the authorities. If they hadn't fired the employee they'd be sued faster than you can say "1099 Hours Free."

    There may be lawsuits anyway. Millions of people entrusted their information to AOL, and now it's floating around in the hands of who knows how many spammers.
    --
    "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
  5. Maybe there're more? by oberondarksoul · · Score: 5, Insightful

    What worries me is that there could easily be many more employees doing this - not just at AOL, but at other ISPs as well. However, I'm willing to bet that AOL isn't going to hunt for any other people like this doing it. Unless they're made aware of other inside jobs of this, they'll probably stay happily oblivious to anyone else wanting to make a fast buck.

    --
    And tomorrow the stock exchange will be the human race
  6. Re:Now do the same over at MSN/Hotmail by Hays · · Score: 5, Insightful

    Dictionary attacks become exponentially harder as your user name becomes longer, assuming that is constructed of random characters.

    The likelihood of a dictionary attack hitting a n character random string of characters and numbers is miniscule for n larger than 15 or so, even if the dictionary attacker is trying 1 million combinations a second, because there are (at least) 36^n user names in that space.

    my rough calculations say that it would take 7 billion years to dictionary attack the space of 15 character random numbers of and letters, even if you could do so at a rate of one million a second.

    So if your 15 character random user name gets spammed immediately after creation without ever being used, it's an inside job.

    But I wouldn't be surprised if it was buried in the Hotmail terms of service that they can sell your addresses.