AT&T apologizes, blames hackers for iPad e-mail breach

The company says they've since changed the login mechanism to prevent a repeat attack

AT&T issued an apology on Sunday for a hack that exposed thousands of iPad customers' e-mail addresses last week and vowed to work with law enforcement to prosecute those responsible.

A hacking group called Goatse Security obtained about 114,000 e-mail addresses of people such as White House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg by exploiting an authentication page on AT&Ts Web site.

The group found that entering a correct serial number for the iPad's SIM card, called an integrated circuit card identification (ICC-ID), the log-in page would return an e-mail address associated with that iPad. They wrote code that would randomly generate those serial numbers and queried the Web site until an e-mail addresses were returned, according to AT&T.

AT&T designed the site to automatically populate the e-mail field in order to make it easier for its customers to log in. AT&T has since changed the page to require an e-mail address and password to be entered.

"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses," wrote Dorothy Attwood, AT&T's chief privacy officer, in an e-mail sent to affected customers. "They then put together a list of these e-mails and distributed it for their own publicity."

The e-mail addresses were passed to Gawker.com. Goatse maintains that it did not directly contact AT&T but waited until the company fixed the problem before giving the e-mail addresses to Gawker and said it has since destroyed the data.

Nonetheless, the U.S. Federal Bureau of Investigation opened a probe last Thursday into whether Goatse Security broke the law.

AT&T said only the ICC-ID and e-mail address were exposed and that other personal account information and e-mail content were not. The hackers did not get access to AT&T data networks, according to the letter.

"We apologize for the incident and any inconvenience it may have caused," Attwood wrote. "Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence."

AT&T will not offer any incentives to those customers affected, according to Mark Siegel, executive director for media relations.

Send news tips and comments to jeremy_kirk@idg.com

Join the discussion
Be the first to comment on this article. Our Commenting Policies