The AT&T data leak is no big deal -- really

The world won't end over the exposed email addresses of 114,000 iPad owners -- but you wouldn't know it from the blogosphere

Page 2 of 2

So the bright boys at Goatse, who judging by their names and their Website all appear to be between 14 and 18 years old, began bombarding the AT&T site with URL requests featuring random 20-digit codes. When they hit a match, the site spit out an email address, which Goatse collected.

I'm guessing Goatse continued to do this until they ran out of 20-digit numbers or simply got bored. They then trotted this information out to the media -- using the email addresses of iPad-owning journalists they'd weaseled out of AT&T as bait -- in an attempt to get coverage. Apparently, Gawker bit first.

Here's the deal: Spammers do this kind of thing all the time. It's called a "brute force" or sometimes a "dictionary" attack, during which a bot repeatedly pings a corporate email server with random email addresses, discards those that bounce, and collects the ones that are legitimate. You can visit a spammers' forum and download a program that will do this for you for $20, if not totally free.

The difference? Goatse got two more pieces of information than most spammers collect: that 20-digit ID (fairly useless, unless you're doing a brute force attack on a Website) and the fact these people, like 2 million others, own an iPad. I'm not seeing huge damage potential here. Am I missing something?

Goatse (and Gawker) also made a big deal over the fact that many of the email addresses belonged to people in the White House, the U.S. military, NASA, and major corporations, as well as celebrities like Diane Sawyer and Michael Bloomberg.

It's true -- an especially devious scammer could use this information to target an individual with bogus emails (aka "spear phishing") in an attempt to get him or her to give up passwords or other valuable information.

But you really don't need AT&T's help here either. Many of these same organizations put their employees' email addresses on their Websites. Even if they don't, it's pretty simple to guess email addresses once you know their domain. There are only so many ways it's done -- cringely@, rcringely@, robert_cringely@, robert.cringely@, cringelyr@, or if they're a teensy company and he's their first employee, bob@. (And of course my preferred handle, cringe@.) That's about it. You could launch your own brute force attack, one name at a time, if you really wanted to.

AT&T has since turned off the feature that spit out your email address when you log on, and that's probably where the matter should end. Should AT&T be spanked for this? Sure. But we're a long way from data Armageddon. Google's egregious Wi-Fi data snooping and even Facebook's plans to butter your personal information all over the InterWebs are far worse, in my opinion.

Too bad. Because I was really looking forward to whacking AT&T one more time.

Can any company be trusted with your data? Who do you trust? Post your thoughts below or email me:

This story, "The AT&T data leak is no big deal -- really," was originally published at Read more of Robert X. Cringely's Notes from the Field blog.

| 1 2 Page 2