However, the exploit luckstr4w takes credit for writing appears to have been around for much longer. An identical version of it is included in a ZIP file called "tMobile exploit tools" was posted in October on the illmob.org Web site, in a section reserved for "zero day," or previously unknown exploits, according to an Illmob member who uses the online name "Pingywon."
Illmob.org was one of the first Web sites to display the Hilton address book information, though the group denies any involvement in the hack or any knowledge of how the address book was stolen, said Pingywon, who described himself as a news poster for Illmob.org, but not the person who posted the Hilton address book.
Sources within the hacking community said that both luckstr4w and the DFNCTSC are unknown. However, whether or not luckstr4w was the author of the password reset exploit, the hole it took advantage of -- if left unpatched by T-Mobile -- was big enough that even inexperienced hackers, or "script kiddies," could use it, provided they knew where to look, experts agree.
Hilton's phone number, which is needed to carry out the hack, was also circulated widely within phone hacking (or "phone phreaking") circles prior to the hack, according to lucky225, a self-described phone phreaker, or hacker, who declined to use his real name.
Phone phreakers took advantage of loose security on T-Mobile's voice mail system and a flaw in Caller ID technology to peruse Hilton's voice mailbox and that of her sister, Nicky, and other celebrities. The Hilton sisters' T-Mobile phone numbers were widely shared on multiuser party lines that are popular meeting places in the phone phreaking community, he said.
The ready availability of Hilton's number and of an exploit that could be used, with it, to give Internet users access to her T-Mobile accounts means that the potential list of suspects for the hack is very long.
However, if luckstr4w's account of the T-Mobile hack is true, it casts doubt on other leading theories of how Hilton's Sidekick was compromised. Observers have theorized that her address book was taken by Jacobsen, over a year ago and only recently surfaced, or that the heiress had an easy-to-guess password.
Regardless of who is responsible for the hack, the bigger problem is with T-Mobile and its public-facing Web sites, experts agree.
The company's Web site is a tangle of hundreds or thousands of large and small security holes that would appear on even a routine scan of the company's Web site using any vulnerability scanning tool, Koziol said.
He expressed shock that the company had apparently fixed the hole Jacobsen used in 2003, without doing a larger security review of their site that would have turned up other problems.