pad[illac] (g) wrote,

The first and last time AIM was hacked

I'm an AOL hacking historian. No doubt about it.

I remember intimate details about most of the major breaches that occurred between the mid 90s and 2000s. I was there and actively participating in most of it. America Online's security was being compromised nonstop. It was unbeliveable. Corporate cybersecurity has a bad reputation now, but what was commonplace then is unthinkable now.  Security was bad. This was especially the case with AOL.

Through phishing attacks, password cracking, social engineering, whatever it took - we were breaking into employee accounts and staff areas at scale. In the late 90s and early 2000s the golden goose was the customer records information system, or as it was known mostly commonly, "CRIS", which AOL employees used to action customer accounts.

Early AOL "Mac hackers," (Macintosh users) - many congregating in the the private chat "macfilez", were the first to access CRIS. Legendary early Mac hackers like "Happy Hardcore" were able to breach various internal accounts and gain access. this was before the keyword became LAN only, i.e. on-campus VPN use only. There is a misconception in cybersecurity. Massive corporations are expected to have the tightest security. The truth is that the more employees a corporation has, the less secure it is - and AOL is a perfect example.

AOL + loads of employees = tons of AOL accounts being hacked through CRIS, and later Merlin. This is in contrast to the AIM team which was very small.

AIM + very few employees = very few AIM accounts being hacked outside of screen name exploits here and there. Nobody even knew the name of AIM's internal area(s).

Fast forward to autumn of 2003 and meet a couple old friends of mine - Dime and Toast. that's when they discovered, and subsequently broke into the LAN-only AIM admin web area. It was called WHAOPS. For the first time in history AOL hackers were finally able to learn the name of, and actually view, the elusive AIM administration panel.

Dime programmed a botnet web browser in Delphi in such a way that it let him take infected AOL employee computers and leverage them to connect to staff-only websites. Prior to finding WHAOPS, we'd just been hanging out and watching zombie AOL staff computers fill an IRC channel, casually surfing their internal networks to see what we could uncover.

Toast, Dime's twin brother, found WHAOPS. from there they started methodically targeting AIM team members, of which there were few. Wventually they hacked an AIM admin screen name, used the botnet web browser, logged into (iirc) and started raising hell. They reset the password to "OnlineHost", stole a slew of screen names, suspended and unsuspended other people's accounts at will - all types of fuckery.

It was an incredible night, and it was dime's final performance. He pulled off the impossible and quit the scene permanently. I think it's unfortunate that only hackers who were busted were immortalized by the internet. Dime and Toast are legends you'd have never otherwise heard of. This post is for them. {S GOODBYE

<3 pad

YCombinator Update Sept 23, 2021
First of all, Null, or "risk", Dime just said you're full of shit. Nobody helped him code anything. I say you're full of shit too.

The following comment was written by someone named Justin Perras aka Null who came into the scene after Dime had already left. This guy always pops up to lie on my reputation to discredit me (by, again, lying) whenever I write anything. The last time this happened was on DG last year. Today it was YCombinator.

The cognative disonnance needed for Justin call me a groupie is immesurable. YCombinator ghosted my response post because it was submitted by a new account - here's that:

Hopefully that summarizes it but the tl;dr is that I'm a triple OG and Null is a coattail riding poor retard with abysmal grammar. You'll never make anything of yourself my guy. Hell, we're old. You just never pulled it off. While the upper echelon (i.e. not you) was pushing up 7 figure stats you were skidding about in the playground we left behind for you. You never managed to find yourself a seat at the table Justin. I talk to millionaire entrepreneurs all day and do very well for myself. How about you? You're a loser and that's nothing new - and you are a liar.

In other news - I managed to summon the backend programmer of WHAOPS. That was interesting.



  • i don't watch the news

    or read /r/all. i'd never poison myself with any of that guff unless i was studying it. i'm subscribed to photography and gaming subreddits. i…

  • Hacking

    In 2009 Dropcode and I hacked DG, a now defunct forum operated by nerdcore artist Why Tea? Cracker © '-' This was when DG was huge. 100K members…

  • The AOL Screen Name Exploit of 2000

    I should start by saying that there were several AOL screen name exploits around that time, regime2k, etc. It was the golden age of AOL hacking, or…

  • Post a new comment


    default userpic

    Your reply will be screened

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.