Major AT&T security breach as 114,000 iPad owners exposed

iPadEmailsLeak1

Gawker Media has uncovered a major security breach at AT&T exposing iPad owners including dozens of CEOs, military officials, and top politicians.

Gawker were handed an exclusive email list based on a collection of early-adopter iPad 3G subscribers. The list contains thousands of A-listers in Finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News. The list even includes White House Chief of Staff Rahm Emanuel's information.

The information exposed in the breach includes the subscribers' email addresses and a unique ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. The subscriber data was obtained by a group named Goatse Security. The group wrote a PHP script to automate data retrieval through a script on AT&T's website, accessible to everyone.

"When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application" - Wrote Ryan Tate of Gawker Media.

AT&T became aware of the exploit on Monday and issued a patch to fix the hole on Tuesday.  As for the users data, Gawker said it would not make the list of emails public - but it's still unclear if the initial hacker has sold the list to any underground community.

In the list of emails, a number of famous people and US military and government officials were exposed.  There is no direct threat to the email themselves, as the exploit doesn't expose passwords, perhaps just some spam emails.iPadEmailsLeak2

AT&T issued this statement regarding the exploit:

"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.

This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.

The person or group who discovered this gap did not contact AT&T.

We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.

We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."

Report a problem with article
Previous Story

Google Voice goes VoIP in Gmail

Next Story

Google protests Apple's new developer program rules

34 Comments

View more comments

And they say people hate AT&T Between dropped calls, their ever changing data plans and now this? They better hold on to that exclusive agreement as long as possible.

Xero said,
And they say people hate AT&T Between dropped calls, their ever changing data plans and now this? They better hold on to that exclusive agreement as long as possible.
I feel ATT is Apple's bitch and is letting them rule them and make new policies so they can keep the iPhone exclusive just to ATT. Though, I am on ATT (non iphone user) and I don't experience anything the iphone users complain about in NYC. The iphone as a phone is poorly designed.

naveeed said,
Ohhhh. No. One more......issue with. AT&T..... Only ipad... Could it be with iphone also??????

The iPhone doesn't have the feature in question so it can't be exploited that way. Even if it were exploitable, the problem has been 'patched' for 2 days now. In other words, the script in question has been removed.

splur said,
That's a lot of government employees and military who got iPads and used their work email.

Believe it or not, but lots of folks (usually above 40yo) only have 1 email address: their work email's address.

essential+ said,

Believe it or not, but lots of folks (usually above 40yo) only have 1 email address: their work email's address.

or maybe they got there Ipad from there employer?
I some how doubt anyone from darpa uses there work email for private matters.

On monday, over 114,000 emails of iPad 3G owners ... The hacker was able to gather emails of every AT&T customer...

Email: A message to one or more individuals. Generally considered private to the parties addressed, and disclosure of email would be a serious offense.

Email Address: A destination to which one can send messages. Generally considered personal, but not private. We already deal with unsolicted messages on a worldwide scale.

There is a difference. It is not small. You can't abbreviate the entire word out of it.

random_n said,

Email: A message to one or more individuals. Generally considered private to the parties addressed, and disclosure of email would be a serious offense.

Email Address: A destination to which one can send messages. Generally considered personal, but not private. We already deal with unsolicted messages on a worldwide scale.

There is a difference. It is not small. You can't abbreviate the entire word out of it.

Use the "Report Problem" button. It's there for a reason

they may have blocked out the first half of those emails, but its still pretty obvious what the full address is for most of them.

Chase Carey _____@newscorp.com


I'll give you two guesses as to what the blank is.

reidtheweed01 said,
they may have blocked out the first half of those emails, but its still pretty obvious what the full address is for most of them.

Chase Carey _____@newscorp.com

I'll give you two guesses as to what the blank is.

And it was hard to guess said e-mail address in the first place, considering you knew where the person in question worked and their name? Come on now.

and Gawker magically has this list because....?
But still "Information Expose", Oh snap guys they are going to spam my email oh noes.

Off topic- anyone see John Stewart make the joke about building an AT&T tower in NYC? Funny stuff. AT&T is getting hammered these days with criticism.

Commenting is disabled on this article.