Three young hackers under investigation for unlawfully accessing personal information on thousands of people in a LexisNexis database have characterized their act as a cyberjoyride that got out of hand.
The hackers, ages 16, 19 and 20, spoke with Wired News by phone Monday and said that in January and February they accessed LexisNexis data -- which included the Social Security number, birth date, home address and driver's license number of numerous celebrities and hacker friends -- to claim bragging rights, rather than to steal identities or sell the information to identity thieves, as some published reports have stated.
"We didn't use the info for bad reasons," said the 16-year-old from Massachusetts, who goes by the handle "Cam0." "It was to have the info and get kicks out of it."
Two law enforcement authorities involved in the LexisNexis investigation told Wired News that they have found no evidence, so far, to indicate that the three hackers used the data to steal identities. They cautioned, however, that the investigation was still underway.
The hackers, who asked Wired News not to disclose their real names because they haven't been arrested or charged with any crime yet, are suspects in a Secret Service investigation into the breach, called Operation Boca Grande (Spanish for "big mouth"), which resulted in raids last week on nine people in four states.
A number of the suspects are members of a hacking group called Defonic Crew, who hang out on a forum at Digitalgangster.com where hackers trade information and brag about exploits. Of the three suspects Wired News spoke with, only Cam0 is a member of Defonic.
Hacking began with AOL
Cam0 is also a suspect in the recent security breach of socialite Paris Hilton's T-Mobile account and was investigated last summer after admitting to Wired News that he hacked America Online and stole AOL Instant Messaging screen names, among other exploits. He has yet to be charged for the AOL breaches but told Wired News on Monday that the AOL activity, which he began in 1997, was the "gateway drug" that emboldened him and other members of Defonic Crew to graduate to other hacking projects.
"If there was a security breach (at AOL), we were all a part of them.... That's how we all started," he said. "We all met up on AOL breaking into their crap. If it wasn't for AOL none of this (LexisNexis stuff) would have happened."
"Shasta," a hacker who knows Defonic Crew but isn't a suspect in the LexisNexis breach, said the success of the AOL breaches made Defonic Crew careless about not covering its tracks in LexisNexis.
"It made them feel invincible," he said. "And they weren't worried about getting caught."
They naturally are circumspect in the face of possible consequences.
"I really wish that I hadn't been able to get access to (the LexisNexis database)," said the 20-year-old, who lives in Rhode Island and goes by the name "Krazed." "Curiosity gets you in trouble."
Last March, LexisNexis revealed that intruders gained access to a database belonging to one of its subsidiaries and obtained the personal data of as many as 310,000 people through numerous name searches. The breach occurred at Seisint, a Florida-based company that LexisNexis bought last year, which maintains databases for law enforcement, legal professionals and others through a service called Accurint.
According to the hackers, none of them knew about LexisNexis or Seisint until they stumbled upon a Florida police officer's Seisint account.
A friend of Krazed masqueraded as a 14-year-old girl online and engaged a Florida police officer in a chat session, the hackers said. The friend sent the officer an attachment, which he said was a slideshow containing naked pictures of the girl he was pretending to be. When the officer clicked on it, a Trojan horse downloaded silently to his computer, which gave Krazed complete access to the computer's files.
A law enforcement agent confirmed this general account of the breach.
Hunting for celebrities
Among the data Krazed found on the computer was a password file with information for accessing an Accurint account. Krazed said he gave the account info to several people who searched celebrity names like Ben Affleck, Matt Damon and Arnold Schwarzenegger to obtain Social Security numbers and other data.
In the meantime, a 19-year-old hacker who lives near Cam0 in Massachusetts searched for other active Accurint accounts using a Java script. He found an account named Null, which he later learned belonged to a Texas police department. The hacker asked to be identified as "Null" for this story.
Posing as a LexisNexis tech administrator, he called Seisint under the guise of running diagnostic tests on the Null account and convinced someone at Seisint to reset the account's password to "Null." Then he used the account to create new accounts under the auspices of the police department.
"A whole bunch of user names were made and people were trading them and passing them around like candy," Null said. "It was getting real bad."
Null said he ran only a few searches himself then closed the accounts he created when he saw things getting out of hand. In a separate incident, he hacked into a gay website called Manhunt.net, broke into the site's instant messaging server and got caught by the website. The experiences convinced him he was wasting his life, he said.
Null said he had a poor education and never made it through high school. He realized he couldn't get a job without a degree and was researching a program that would allow him to attend college for free. He was hoping to study computer science and psychology.
"I just decided to stop it all. I was trying to stop being on the internet ... and straighten out my life," he said.
He said he threw his computer, which he'd received for free, into the ocean.
"It had a lot of things on it and I didn't want (anyone) to associate it with me," he said.
Null said "some Russian kids" hacked into LexisNexis and erased the records for the Null account that he'd been using so there was no trace of it in the system.
But it was too late. In March, LexisNexis announced that intruders breached its system and stole private data on 32,000 people -- a figure that was later upgraded to more than 310,000 people.
On May 16, Secret Service and FBI agents conducted raids on individuals in Minnesota, North Carolina, Massachusetts and California, seizing computer equipment and documents. All search warrants in the investigation have been sealed.
The experience wasn't entirely new for Cam0. A year earlier, the FBI had raided his house for his AOL activity and seized his computer.
"I always had the feeling that with the AOL (thing) I was eventually going to go to court," he said. But the FBI never filed charges, so Cam0 said he got a new computer and "kept going." He said he began hacking "away from home" so his family wouldn't know.
Null wasn't initially hit in the raids -- investigators didn't know where he lived -- but a friend tipped him off with a phone call. Instead of waiting for authorities to find him, he called the Secret Service and asked them not to raid his house. Instead, he met with them and told them what he'd done.
"They were really nice about the whole situation," Null said. "But it's still not looking good for me."
Multiple, independent breaches?
All three hackers say they never sold LexisNexis data to anyone, although Null and Krazed say another hacker may have sold data to someone. This other hacker has not yet been targeted by authorities investigating the LexisNexis breach, according to Null and Krazed. Null said the other hacker first accessed the LexisNexis data while based in California.
On May 17, California authorities near San Francisco did arrest three individuals on drug charges -- one for possession of methamphetamine with intent to sell and the others in connection with operating a methamphetamine lab -- in an investigation that may be related to the LexisNexis investigation. The search warrants have been sealed and authorities aren't allowed to discuss them.
But a police press release said authorities discovered the drug paraphernalia while executing a federal search warrant on a different matter. And the group that executed the warrant was a high-tech task force called REACT, for Rapid Enforcement Allied Computer Team, composed of people from several law enforcement agencies who investigate high-tech crimes. This indicates that the initial reason for the search was computer-related.
Santa Clara County Deputy District Attorney Jim Sibley, project director of REACT, didn't discount that the California arrests were related to the hacker investigation, but said, "To my knowledge the hacker situation in the news has no tie to what we're investigating here."
He suggested, however, that the California arrests might involve a separate investigation of LexisNexis breaches, since the scope of the problem was so great.
"You start looking at an account that's been logged into 500 times and generated 9,000 reports, for example, that's a lot of information (to examine)," Sibley said. "I'm just saying it's not one group that's compromised LexisNexis. Their security is really bad. This isn't a situation where you're talking about needing an überhacker to compromise (the system). Their passwords weren't as secure as your average porn site. I think it didn't take a genius to break them. Although I think the way the hackers did it was creative. We'll give them style points."
A separate source indicated that the California investigation began separately from the hacker investigation when a California parole officer discovered Accurint reports in a parolee's house earlier this year. Authorities contacted LexisNexis, which led the company to disclose the breach in March. An investigation revealed that this particular intrusion had begun in November.
The Secret Service was already investigating the Paris Hilton T-Mobile hack when LexisNexis contacted the agency about its breach. A source said that when the agency discovered that one of its T-Mobile hacking suspects also breached LexisNexis, they launched an investigation, separate from the California investigation, which eventually led to the hackers.
All three of the hackers Wired News interviewed face possible fines and criminal charges in the LexisNexis case for access device fraud and other crimes, which can carry sentences of more than 15 years. Cam0, as a minor, could face possible juvenile detention until the age of 21.
When asked if he's afraid, Krazed said, "Yeah, I don't know what I'm looking at here. It kind of just got out of hand."
Like Null, he can't afford a lawyer and will have to work with a court-appointed attorney. "Hopefully I get lucky and get a competent one."