The theft and the AT&T security weakness that made it possible were revealed months ago, and U.S. Attorney Paul Fishman said there was no evidence the men used the swiped information for criminal purposes. Authorities cautioned, however, that it could theoretically have wound up in the hands of spammers and scam artists.
Daniel Spitler, a 26-year-old bookstore security guard from San Francisco, and Andrew Auernheimer, 25, of Fayetteville, Ark., were charged with fraud and conspiracy to access a computer without authorization.
Fishman said the men and their cohorts were engaged in "malicious one-upsmanship" as they sought to impress each other and others online.
"We don't tolerate committing crimes for street cred," Fishman said. "Computer hacking is not a competitive sport, and security breaches are not a game."
Spitler appeared in federal court in Newark and was released on $50,000 bail. A U.S. magistrate ordered him not to use the Internet except at his job at a Borders bookstore.
"I maintain my innocence and I'm not worried about this case at all," Spitler said outside court. "The information in the complaint is false. This case has been blown way out of proportion."
At Auernheimer's court appearance in Fayetteville - where he also faces drug charges stemming from a search of his home in June - he was ordered held pending a bail hearing on Friday. He told a magistrate that he had been drinking until 6:30 a.m., and he mocked the case against him, telling federal officials in the courtroom, "This is a great affidavit - fantastic reading."
The stolen e-mail addresses, on their own, aren't that valuable; many of them could easily have been guessed by knowing a person's name and how his or her organization structures its e-mail addresses.
But once they knew a person was an iPad owner and an AT&T customer, cybercriminals and spammers could have sent e-mails that looked like they came from Apple or AT&T, tricking the recipient into opening them.
Those e-mails could, in turn, plant malicious software on the recipient's computer or trick the person into sharing vital private information, such as Social Security or credit card numbers.
The criminal complaint against Spitler and Auernheimer details online conversations in which their cohorts discuss selling the addresses to spammers.
"you could put them in a database for spamming for example sell them to spammers," a user named Nstyr wrote to Spitler.
"tru ipad focused spam," Spitler allegedly responded.
The complaint also quotes an article published on Gawker.com that contended the e-mail addresses of film mogul Harvey Weinstein, then-White House chief of staff Rahm Emanuel, New York Mayor Michael Bloomberg and Diane Sawyer of ABC News were among those lifted from AT&T's servers.
The case was brought in New Jersey because about 16,000 victims live in the state, Fishman said.
AT&T spokesman Mark Siegel said, "We take our customers' privacy very seriously."
Apple referred questions to AT&T.
In June, AT&T acknowledged a security weak spot on a website that exposed the e-mail addresses of apparently more than 100,000 iPad users. The company said that the vulnerability affected only iPad users who signed up for AT&T's 3G wireless Internet service and that it had fixed the problem.
A hacker group that called itself Goatse Security claimed at the time to have discovered the weakness and said it was able to trick AT&T's site into coughing up more than 114,000 e-mail addresses.
Both Spitler and Auernheimer were members of the group, authorities said.
A representative for the group told The Associated Press in June that it contacted AT&T and waited until the vulnerability was fixed before going public with the information. Federal prosecutors disputed that on Tuesday, saying AT&T was unaware of the breach until it appeared in online media reports.
Representatives of Goatse Security did not immediately respond to an e-mail from AP.
According to court papers, the suspects used a computer script they called "the iPad3G Account Slurper" to fool AT&T's servers into thinking they were communicating with an actual iPad.
The theft of the e-mail addresses occurred between June 3 and June 8, according to court papers. On June 9, the information was provided to Gawker, which published an article on the breach.
Prosecutors said Auernheimer bragged about the operation in a blog posting June 9 and in an interview with CNET published online on June 10. Court papers also quote him declaring in a New York Times article: "I hack, I ruin, I make piles of money. I make people afraid for their lives."
Some hackers take pride in finding security flaws in various products and portray themselves as performing an important public service.
Anup Ghosh, founder and chief scientist of security company Invincea, said the case should remind hackers that there is a difference between hacking to expose vulnerabilities and "attacking someone's property."
Gunter Ollmann, vice president of research at Damballa, another security company, said that in this case, intentionally taking information served no additional purpose in helping AT&T fix the problem.
Ollmann likened it to someone finding a flaw in a bicycle lock, alerting the manufacturer to the problem and then setting out "to steal the bikes secured by the vulnerable lock across an entire city as a means of saying, 'I told you so."'