Hackers Target AT&T iPad Users, Obtain 114,000 High Profile E-mail Addresses
The scam was apparently pulled off by a group unfortunately named Goatse Security [Ed. Note: Google it. On second thought, save yourself the NSFW results.] , which obtained the addresses by using a script to enter random iPad ID numbers, or ICC-IDs, into AT&T's site. Whenever a valid ID number is entered into a program on the site, the company discloses the e-mail account associated with that number. Goatse itself eventually informed AT&T of the breach, and the leak was plugged on Tuesday.
In a statement, AT&T apologized to users, and assured them that the "only information that can be derived from the ICC IDS is the e-mail address attached to that device." Apple, meanwhile, has not yet issued a statement. Some security experts remain unconvinced that the leaked e-mail addresses won't lead to further privacy breaches. As UCSD communication networks expert Michael Kleeman told the New York Times, "You could in theory find out where the device is." He admits, though, that doing so would require "access to very secure databases that are not generally connected to the public Internet."
In an interview with Gizmodo, AT&T chief security officer Ed Amoroso explains that the whole snafu is the direct result of a feature designed to make customers' lives easier. When a customer signs up for 3G, AT&T assigns them an ICC-ID number, and asks the user to provide an e-mail address to link to that ID. That way, when users log on to the site to access their account information, the network automatically recognizes them, meaning they don't have to enter their e-mail information each time -- only their password.
It remains to be seen how AT&T handles this crisis, at a time when its relations with Apple and its customer base are already strained. But perhaps the company would be well served to heed the ironic words of CEO Randall Stephenson, who, according to Gawker, declared at an IBM security conference yesterday, "If you lose the customers' confidence once on a [matter of] privacy... it would be a hard issue to recover from." [From: Gawker, New York Times and Gizmodo]