The 18-year-old suspects, who live in a small village of about 700 people in southwest Wales, were arrested yesterday and charged under Britain's Computer Misuse Act of 1990. The names of the suspects, who were released on bail, were not disclosed by British police.
The teenagers are accused of stealing information related to more than 26,000 credit card accounts and posting the numbers on the Web using the nickname "Curador," according to the Federal Bureau of Investigation. The Web sites hit were based in the United States, Canada, Thailand, Japan and Britain, the FBI said.
The bureau added that the losses connected with the computer break-ins could exceed $3 million.
As earlier reported by CNET News.com, a hacker going by the name of Curador claimed responsibility for at least eight Web site break-ins in four countries. All the sites were relatively small, ranging from e-commerce marketplace SalesGate.com to the American Society of Clinical Pathologists site.
In a letter posted online, the hacker claimed to have taken advantage of a known bug in Microsoft software to read sites' commerce databases and to download more than 23,000 credit card numbers.
The arrests were welcome news to the hacked sites--and to an e-commerce industry facing renewed concerns about online security and privacy. Several other high-profile incidents of online credit card theft have made headlines in recent months, and the memory of the massive distributed denial-of-service attacks which temporarily shut down sites including Yahoo and eBay is still fresh in people's minds.
Another incident, in which a hacker named "Maxus" obtained close to 350,000 credit card numbers from e-commerce site CD Universe and then tried to extort money from the Web company, also made headlines early this year.
One security consultant hired by a firm hacked by Curador said the case showed that even relatively inexperienced hackers, far from the mainstream of high-tech society, can do serious damage.
The hackers left a clear digital trail for investigators to follow, said Chris Davis, a Canadian security consultant with Tyger Team.
"Their sophistication level was very low," he said. "They were sophisticated enough to get into the sites. But obviously they were not as bright as they thought they were."
In each of the eight cases for which Curador took credit, a well-known bug in Microsoft's e-commerce software allowed the intruder to download credit card information from the Web sites' databases, the victims have said. In several of the cases, the hacker left a digital trail that pointed to a single Internet service provider in the United Kingdom and left an identical digital "fingerprint," Davis said.
Microsoft released a patch for the security hole in mid-1998, and it has since sent several bulletins to software users asking them to download and install it.
Curador also apparently registered several domain names using stolen credit card numbers and later used those names to post the numbers online, Davis said. A credit card used to register "e-crackerce.com" belonged to a Jacksonville, Fla., postal worker, Stacey Yaple, who reported the incident to the FBI after she saw Curador's site.
For the domain name "curador.com," also used to post the credit card information online, the hacker gave a fictitious company address in Swansea, Wales, a town just a few miles from the suspects' homes.
"I think anytime both consumers and retailers feel like government can actually do something about the problem, and that there are real penalties, then they will feel more confident shopping," said Jamie Lewis, CEO of the Burton Group, a high-tech consulting firm in Salt Lake City.
The case should underscore the need for businesses to ensure that all online security holes have been closed, analysts added.
Law enforcement officials have not made any arrests in several other high-profile cybercrime cases, including the CD Universe case and the denial-of-service attacks on Yahoo and others.