AT&T apologizes, blames hackers for iPad email breach

The company says it has since changed the log-in mechanism to prevent a repeat attack

AT&T issued an apology on Sunday for a hack that exposed thousands of iPad customers' email addresses last week and vowed to work with law enforcement to prosecute those responsible.

A hacking group called Goatse Security obtained about 114,000 email addresses of people such as White House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg by exploiting an authentication page on AT&Ts Website.

[ The FBI is investigating the iPad email leaks as a potential cyberthreat. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

The group found that entering a correct serial number for the iPad's SIM card, called an integrated circuit card identification (ICC-ID), the log-in page would return an email address associated with that iPad. They wrote code that would randomly generate those serial numbers and queried the Website until an email addresses were returned, according to AT&T.

AT&T designed the site to automatically populate the email field in order to make it easier for its customers to log in. AT&T has since changed the page to require an email address and password to be entered.

"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses," wrote Dorothy Attwood, AT&T's chief privacy officer, in an email sent to affected customers. "They then put together a list of these emails and distributed it for their own publicity."

The email addresses were passed to Gawker.com. Goatse maintains that it did not directly contact AT&T but waited until the company fixed the problem before giving the email addresses to Gawker and said it has since destroyed the data.

Nonetheless, the U.S. Federal Bureau of Investigation opened a probe last Thursday into whether Goatse Security broke the law.

AT&T said only the ICC-ID and email address were exposed and that other personal account information and email content were not. The hackers did not get access to AT&T data networks, according to the letter.

"We apologize for the incident and any inconvenience it may have caused," Attwood wrote. "Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence."

AT&T will not offer any incentives to those customers affected, according to Mark Siegel, executive director for media relations.

Send news tips and comments to jeremy_kirk@idg.com

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies