AT&T Security Hole Revealed Email Addresses Of iPad Owners

from the whoops dept

Apparently, a security vulnerability in the way AT&T set up its network allowed hackers to capture the email addresses of 114,000 iPad owners. The breach was pretty basic stuff: if you fed an iPad ID number to a script that was publicly available on AT&T's website, it returned to you the email address associated with that ID. The hackers quickly set to testing out tons of likely IDs, and got back all those email addresses, including those of top execs at a bunch of big media companies, such as the CEO of the NY Times, CEO of Time, Inc., the President of News Corp, the CEO of Dow Jones and New York City mayor Bloomberg. Oh yeah, also a bunch of government emails: "Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others." AT&T issued the expected "oops" statement soon after this was exposed.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Jeff, Jun 9th, 2010 @ 7:07pm

    This is why I am a PC and don't own the iCrap.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 9th, 2010 @ 9:12pm

    What? A blog broke this story? Not the New York Times? I'm so confused.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jun 9th, 2010 @ 10:11pm

      Re:

      What? A blog broke this story? Not the New York Times? I'm so confused.

      The group that exploited the security hole basically gave them the story directly. Why them and not, say, the NYT? Maybe the more "instant" exposure. Maybe the tech focus. Or maybe, given Gawker Media's recent history, the biggest paycheck for the information.

      The writeup is suitably histrionic. Some email addresses got harvested, but repeatedly the article states that information or accounts were "compromised." Yeah, and I walked down Main Street, wrote down the numbers on the houses, and "compromised" those houses too. My email address is on my Website, if you care to write me. I guess my email account is now "compromised" also.

      Here's another big secret that could lead to a major breach: many companies use the form "first initial-last name@example.com" as the format of their email addresses. Some even use First.M.Last@example.com!

      OH NOES I HAVE COMPROMISED THE ACCOUNTS OF MILLIONS!

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jun 10th, 2010 @ 12:07am

        Re: Re:

        http://www.nytimes.com/2010/06/10/technology/10apple.html?ref=technology

        But experts said that ICC-ID numbers could, in the right hands, be used to get other information, like an iPad’s location.

        The breach “should be worrying people a lot,” said Nick DePetrillo, an independent security consultant.

        Michael Kleeman, a communications network expert at the University of California, San Diego, said that AT&T should never have stored the information on a publicly accessible Web site. But he added that the damage was likely to be limited.

        “You could in theory find out where the device is,” Mr. Kleeman said. “But to do that, you would have to gain access to very secure databases that are not generally connected to the public Internet.”

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          abc gum, Jun 10th, 2010 @ 5:15am

          Re: Re: Re:

          But experts say that Street Addresses could, in the right hands, be used to get other information, like a phone number.

          An independent security consultant tells everyone they should be worried - a lot.

          Its all fun and games until someone puts an eye out.

           

          reply to this | link to this | view in chronology ]

      •  
        icon
        Nate (profile), Jun 10th, 2010 @ 5:48am

        Re: Re:

        My email address is on my Website, if you care to write me. I guess my email account is now "compromised" also.

        Exactly right... except for the fact that the email addresses that Apple collected were not intended for public distribution. If you want to give out your email address to the world then that's your decision. No one else should make that decision for you.

        But since you obviously don't mind people knowing your private contact information, may I have your cell number too? Just leave it here in this thread and I'll write it down later. Thanks.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Michael, Jun 10th, 2010 @ 6:32am

          Re: Re: Re:

          FYI - Email - not secure. Email addresses can be randomly "discovered" pretty easily. It's an address, they are public intentionally.

          The only breach of much significance I see is the hackers have managed to connect the Id of a bunch of iPads to the actual users. Assuming you can capture the ID of the iPad when it connects to a network or to the internet, this could be a bit of an issue that makes it reasonably possible to connect some activity to a person.

          The other news item here is that AT&T was completely incompetent in making this possible. Oh wait, their incompetency is not much of a surprise.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            Nate (profile), Jun 10th, 2010 @ 7:58am

            Re: Re: Re: Re:

            Sure, email addresses are public by themselves (just as phone numbers and home addresses), but meaningless without an association with a person. The association between a person and an email address is not intended to be public knowledge unless the person decides to make that information available.

             

            reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 10th, 2010 @ 8:39am

    hollywood is now in state of RED ALERT

    all there toys are comprimised OOOOHHH NOOO
    the information gleened will tell a tale of [how many exploited] morons

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jun 10th, 2010 @ 8:40am

    guess not having me the user choose better security is well haha on you apple

    hhahaahahaaa

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Chuck Norris' Enemy (deceased) (profile), Jun 10th, 2010 @ 12:07pm

    The List

    Hackers: So now we have a list of 114k hipster-suckers!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Steven, Jun 10th, 2010 @ 8:10pm

    unlock at&t

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This