Skip to: [ search ] [ menus ] [ content ] Select style [ Aqua ] [ Citrus ] [ Fire ] [ Orange ] [ show/hide more content ]

AT&T Web site hole exposed 114,000 iPad user email addresses

Hackers exploited a hole in an AT&T Web site and grabbed the email addresses of about 114,000 iPad users, including those of what appear to be top government officials, and people in finance, media, the military, and technology. According to CNET:

“Among the iPad users who appeared to have been affected were White House Chief of Staff Rahm Emanuel, Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson.”

The story was broken by Gawker today. According to Gawker, the leak could have affected all iPad 3G subscribers in the U.S.! A group called Goatse Security tricked the AT&T site by sending HTTP requests that included SIM card serial numbers for iPads. The serial numbers are called ICC-IDS (integrated circuit card identifiers) and are generated sequentially. The researchers were able to guess thousands of the ICC-IDS and then ran a program to go down the list and extract linked data, which are apparently ONLY email addresses, according to AT&T. (Note added later, June 9, 2010: Goatse analyst Jim Jeffers said, “it will allow someone who does the proper research to possibly target iPad 3G users and take over their iPads, and they could sniff traffic, they could act as the user of the iPad.” The Goatse analyst explains the AT&T data breach in a podcast.)

AT&T spokesman, Mark Siegel confirmed the breach to CNET and said that the feature that exposed the email addresses was turned off on Tuesday, a day after learning about it from a business customer on Monday!

Security experts stressed that the problem was related only to AT&T’s Web site, NOT Apple’s iPad.

According to Bill Pennington, chief strategy officer at White Hat Security:

“Now everyone in the world knows these people have iPads, and here’s their serial number and here’s their e-mail address.” “This puts them in a more vulnerable state.” Pennington said, “I believe this number could identify any 3G device on the AT&T network,” not just iPads.

Chris Wysopal, chief technolgoy officer at Veracode said:

“It is an authentication error to not require user authentication before returning private data.” “This is the type of vulnerability that would be found with a very basic Web application assessment. Apple should require its service providers to show proof of an assessment of its Web apps if sensitive Apple customer <information> is stored there.”

A redacted list of some of the serial numbers and returned email addresses is in the CNET article.

(Note added June 10, 2010: Someone needs to talk with CNN Money’s staff reporter Ben Rooney’s editor – AT&T did NOT fix “a major iPad 3G security hole.” AT&T fixed their own Web site vulnerability, that experts above think would have been found if AT&T had done some “very basic Web application assessment.” There is all the difference in the world. If you need someone who can edit technical prose, make me an offer.)

(Note added later June 10, 2010: CNET’s Elinor Mills has published an FAQ on the incident. [For the record, Elinor knows what she is doing when she writes technical prose!)

(Note added June 11, 2010: Oh my! Now the FBI is investigating the AT&T security breach.)

(Note added later June 11, 2010: Oh-oh! “Come out with your hands up! This is the FBI!” :-) )

(Note added June 14, 2010: Elinor Mills of CNET provides a very “even-handed” “post-mortem” discussion of the incident today. The column notes that although AT&T issued an apology to its affected iPad 3G customers over the weekend, most of the email was used to blame the hackers/researchers who discovered the problem, instead of accepting responsibility. I have personally experienced this attitude firsthand from a number of customers, when I worked in high-tech, including one of AT&T’s precursors.

Some personality types have problems accepting responsibility for their own actions [or omissions], and often need a scapegoat. Regrettably, many of these types RUN large companies and other institutions.)

(Note added June 15, 2010: Today, in the “You’re in a heap o’trouble boy, fer shure” department, a key member of the Goatse Security group that discovered the AT&T security gaff, Andrew Auernheimer, 24, AKA “Escher, AKA “Weev,” is being held in Washington County Detention Center after his arrest at his home in Fayetteville, Arkansas. Auernheimer faces four felony counts and one misdemeanor count of possession of a controlled substance. The drugs included cocaine, ecstasy, LSD, and schedule 2 and 3 pharmaceuticals, and the drugs were found during the execution of an FBI search warrant. A hearing is scheduled for June 18 in Washington County Circuit Court.)

-Bill at

Cheshire Cat Photo™ – “Your Guide to California’s Wonderland™”

You can view higher-resolution photos (*generally* 7-30 megabytes, compressed) at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. Apparel and other gifts decorated with some of our most popular photos can be ordered from the Cheshire Cat Photo™ Store on CafePress®. Both Shutterfly™ and CafePress® ship to most international locations worldwide! Framed prints and prints on canvas can be ordered from our galleries on imagekind® and redbubble®. All four locations are accessible from here. Be a “Facebook Fan” of Cheshire Cat Photo here! If you don’t see what you want or would like to receive an email when new photos are up on the site, send us an email at

©2010 William F. Hackett. All Rights Reserved.

No Comments to “AT&T Web site hole exposed 114,000 iPad user email addresses”

  (RSS feed for these comments)

You must be logged in to post a comment.

InspectorWordpress has prevented 52153 attacks.
Get Adobe Flash player