In June 2010, Andrew Auernheimer, a well-known Internet-security expert, discovered a gaping hole in AT&T’s website that exposed 114,000 e-mail addresses belonging to the wireless giant’s Apple iPad customers. After a colleague downloaded the data, Auernheimer passed the information to a journalist at Gawker. The episode was a major embarrassment for AT&T because the list included thousands of high-profile individuals, including New York City Mayor Michael Bloomberg and then White House chief of staff Rahm Emanuel. AT&T quickly patched the hole. The FBI promptly launched an investigation, and in November, Auernheimer was convicted of two felony counts under the Computer Fraud and Abuse Act (CFAA), a 1980s-era law originally designed to punish and deter intrusions into government and financial-industry computer systems. His colleague Daniel Spitler pleaded guilty last year. On Monday, Auernheimer, 27, was sentenced to 41 months in prison and ordered to pay $73,000 in restitution to AT&T. He has vowed to appeal. Auernheimer’s case is just the latest involving the CFAA amid what appears to be an intensifying federal crackdown against so-called hackers. The CFAA makes it a federal crime to “access a computer without authorization or exceed authorized access.” Critics say the law has been twisted by U.S. prosecutors to bully and intimidate security researchers, journalists and activists with extremely harsh federal prison sentences. Earlier this month, Reuters journalist Matthew Keys, 26, was indicted on CFAA felony charges alleging that he provided a hacker with log-in credentials to access the Los Angeles Times website, which was then vandalized. Keys faces 25 years in prison and a $500,000 fine. The CFAA was also used to prosecute Aaron Swartz, the 26-year-old programmer who killed himself earlier this year. Swartz had been charged with accessing a server at the Massachusetts Institute of Technology and downloading too many articles from the subscription-based academic research service JSTOR.