Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Employee Arrested in Spam Scheme

Posted by simoniker on from the america-shaking-fist-online dept.

LostCluster writes "The AP, Reuters, and AOL's own CNN/Money are all reporting that AOL employee Jason Smathers has been arrested and accused of taking a list of 92 million screennames from the internal AOL system, and selling it to another man, who allegedly used it 'to promote his own Internet gambling business and also sold the list to other spammers for $52,000'. Not surprisingly, Smathers has been fired."

24 of 428 comments (clear)

  1. AOL's New Slogan by Anonymous Coward · · Score: 5, Funny

    "You've Got Spam!"

    1. Re:AOL's New Slogan by homer_ca · · Score: 5, Informative

      That's easy to block if you run your own mail server. All AOL dialups have hostnames ending with ipt.aol.com. AOL's mail servers have hostnames ending with mx.aol.com. Deny hosts from ipt.aol.com and problem solved.

    2. Re:AOL's New Slogan by JPriest · · Score: 5, Informative
      Why would they? Once the aliases are sold and resold, what can AOL really do to recover them?

      Mr. Spammers, please delete all @aol.com email addresses in you list, yeah right!

      My girlfriend recently recovered an account that has not been active in 3 1/2 years, it still gets flooded with spam despite 3 1/2 years of not existing.

      I doubt AOL users will be much better off unless they want to create a new alias.

      --
      Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
  2. I'm surprised... by Anonymous Coward · · Score: 5, Funny

    That they didn't pay more for the list. I mean, the names of 92 million really clueless people who think AOL is "that thar interweb" would probably buy V1@GR@ by the case. Jesus, it would be a spammer's wet dream!

  3. Welcome! by Motherfucking+Shit · · Score: 5, Funny

    You've Got Jail!

    --
    "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
  4. Security? by shadowkoder · · Score: 5, Insightful

    You would think there would be limitations on HOW an employee could access such a large database. I mean, does AOL throw out CDs with conveniently formatted lists of all the screen names of its customers?

    1. Re:Security? by isthisthingon · · Score: 5, Insightful
      Hmmm...just a guess, but it probably went something like this:
      SELECT *
      FROM customer_list
      ORDER BY last_name ASC;
      [zoom to scene of employee nervously looking over his shoulder and tapping his fingers impatiently]

      92,213,798 rows returned.

      [employee thinks to self]: "Dude! Cool! Bonus! We only had 91,125,553 last time I ran this. I'll have to thank the marketing department for sending out those CDs!"
      --
      And then one day you find, ten years have gone behind you....
  5. Re:Fired? by Kiryat+Malachi · · Score: 5, Informative

    Only in criminal court. Unless the guy had an employment contract that stated otherwise, he was employed "at the pleasure of the employer" - i.e. he can be fired for just about anything, barring discriminatory or retaliatory firings.

    And I don't think anyone can argue that there's cause here.

    --

    ---
    Mod me down, you fucking twits. Go ahead. I dare you.
    (I read with sigs off.)
  6. Double standards.. by BlueLines · · Score: 5, Insightful

    ..didn't a bunch of airlines admit to (basically) the same thing? no arrests there..

    --
    --BlueLines "The cost of living hasn't affected it's popularity." -anonymous
  7. And this is the inherent problem . . . by kfg · · Score: 5, Insightful

    with large, easily searched and copied databases of highly consolidated private data.

    The primary issue to be feared is not that someone who isn't trusted with the data will get ahold of it, but that someone who is trusted with the data will turn out to be untrustworthy.

    The same goes for backdoors. I'm not half so worried about some script kiddie hacking my router as I am some employee/former employee of Cisco simply walking right in.

    KFG

  8. Now do the same over at MSN/Hotmail by SomePoorSchmuck · · Score: 5, Interesting

    It's well known that you can invent "unguessable" accounts at hotmail, e.g. rmgdrduckk5arp@hotmail.com, and never join any mailing list or submit your name to any website or allow MSN to list you in the Hotmail User Directory, and yet within a few days or weeks your account will miraculously begin receiving offers from mail order brides, pills, porn, and so on. I've long suspected that someone working for Hotmail is making money on the side by downloading the user list once a week and selling it to spammers. Which is why my hotmail accounts have lapsed and I mainly use my yahoo or Gmail accounts.

    --

    Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
    1. Re:Now do the same over at MSN/Hotmail by Hays · · Score: 5, Insightful

      Dictionary attacks become exponentially harder as your user name becomes longer, assuming that is constructed of random characters.

      The likelihood of a dictionary attack hitting a n character random string of characters and numbers is miniscule for n larger than 15 or so, even if the dictionary attacker is trying 1 million combinations a second, because there are (at least) 36^n user names in that space.

      my rough calculations say that it would take 7 billion years to dictionary attack the space of 15 character random numbers of and letters, even if you could do so at a rate of one million a second.

      So if your 15 character random user name gets spammed immediately after creation without ever being used, it's an inside job.

      But I wouldn't be surprised if it was buried in the Hotmail terms of service that they can sell your addresses.

  9. Fair Punishment by SkyWalk423 · · Score: 5, Funny

    I say make him answer AOL tech support phone calls. He'll beg for jail time after about a week.

  10. Re:Fired? by Motherfucking+Shit · · Score: 5, Insightful
    Aren't we supposed to wait for someone to be found guilty before punishing them?
    My guess, and this is only a guess, is that Mr. Smathers was almost certainly confronted by HR or security (do they still call it OpsSec?). My second guess is that he probably admitted what he did.

    In any case, AOL doesn't have an opportunity to wait around and find out whether or not this guy is guilty in a court of law. This is a huge privacy breach affecting millions of people. According to CNN's version of the story, not only did the list contain screen names, it also had each user's telephone number, ZIP code, etc. AOL has no choice but to take immediate and harsh action, i.e. terminating the employee and alerting the authorities. If they hadn't fired the employee they'd be sued faster than you can say "1099 Hours Free."

    There may be lawsuits anyway. Millions of people entrusted their information to AOL, and now it's floating around in the hands of who knows how many spammers.
    --
    "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
  11. AOL by elbazo · · Score: 5, Funny

    News just in :

    In response to this 99% of AOL members surveyed who recieved the e-mail clicked on the link and frittered many dollars away at the casino making spam profitable and so continuing the downward spiral of e-mail.

    One user replied saying : "I trust AOL so much when it comes to spam, they always send me the top dollar stuff like penis enlargement pills and always ask me to change my password on non secure sites and ask for my credit card as my account has been hacked. They care so much"

  12. Yeah the only problem is. by nlinecomputers · · Score: 5, Funny

    Is that it will be quickly followed by.

    Welcome!

    "You've got Bail!"

    --
    Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
  13. Maybe there're more? by oberondarksoul · · Score: 5, Insightful

    What worries me is that there could easily be many more employees doing this - not just at AOL, but at other ISPs as well. However, I'm willing to bet that AOL isn't going to hunt for any other people like this doing it. Unless they're made aware of other inside jobs of this, they'll probably stay happily oblivious to anyone else wanting to make a fast buck.

    --
    And tomorrow the stock exchange will be the human race
  14. What about those screennames? by fembots · · Score: 5, Interesting

    Okay the guy has been arrested and fired, but what about those names already sold to spammers?

    In the article AOL didn't seem to mention what they are doing to protect the victims, except "they are thoroughly reviewing and strengthening our internal procedures".

    Is this good enough? Sometimes you can punish the offender enough to compensate the victims.

    --
    Rock that crushes, Paper & Scissors that don't matter.
  15. i've confirmed this. by bani · · Score: 5, Interesting

    i've created hotmail accounts with crypto-hard random usernames, not listed anywhere, and almost immediately started receiving spam to them.

    it seems to really only happen on new accounts though. old hotmail accounts dont seem to get spam, if you dont publish them anywhere.

    it's entirely possible someone has recently (within the last few years) backdoored hotmail's account creation system to notify them of new accounts, which would explain why old accounts dont get any spam.

  16. Honeypotting with stolen names by G4from128k · · Score: 5, Interesting

    This case presents an interesting opportunty. If some of those 92 million names were faked, AOL-internal-only addresses (i.e., no outsider ever had them or ever could have them) then anyone caught using or selling them is guilty of accepting or selling stolen property. Any email arriving to a never-released, but stolen name would let AOL and authorities track the spammer network and subpeona spam-using e-commerce sites to reveal the identity of marketing affiliates.

    --
    Two wrongs don't make a right, but three lefts do.
  17. Re:Access? by YU+Nicks+NE+Way · · Score: 5, Informative
    When I was a young man, a bank in New York hired an ourside consultant to find out how to protect their data against their programmers. The response was one of the shortest lists of recommendations ever:
    • Pay them well
    • Keep them very happy
    • Watch them very very closely
  18. Re:That's a lot of names... by bigman2003 · · Score: 5, Informative

    Especially for a list of confirmed gullible people.

    The chances of an AOL user falling for a spam-scam are probably good. They already fell for one scam, so they've proven themselves to be targets already.

    --
    No reason to lie.
  19. New Dictionary Term by Morgon · · Score: 5, Funny

    smather (verb) To have personal information sold to advertisers without your consent or knowledge.
    "Man, I just got this new Hotmail account, but in less than an hour, it's been smathered!"

    --
    [DISCLAIMER: This post is a work of satire and should not be misconstrued as a holy text upon which to base a religion.]
  20. Oh now that's the last straw by Anonymous Coward · · Score: 5, Funny

    Of all the ills you could accuse AOL of -- lowering the signal-to-noise ratio of the Internet, filling our landfills with CDs -- there is absolutely no evidence that AOL use causes erectile dysfunction ... ... you insensitive clod!