AT&T Security Hole Revealed Email Addresses Of iPad Owners

from the whoops dept

Apparently, a security vulnerability in the way AT&T set up its network allowed hackers to capture the email addresses of 114,000 iPad owners. The breach was pretty basic stuff: if you fed an iPad ID number to a script that was publicly available on AT&T’s website, it returned to you the email address associated with that ID. The hackers quickly set to testing out tons of likely IDs, and got back all those email addresses, including those of top execs at a bunch of big media companies, such as the CEO of the NY Times, CEO of Time, Inc., the President of News Corp, the CEO of Dow Jones and New York City mayor Bloomberg. Oh yeah, also a bunch of government emails: “Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others.” AT&T issued the expected “oops” statement soon after this was exposed.

Filed Under: , ,
Companies: at&t

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “AT&T Security Hole Revealed Email Addresses Of iPad Owners”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

What? A blog broke this story? Not the New York Times? I’m so confused.

The group that exploited the security hole basically gave them the story directly. Why them and not, say, the NYT? Maybe the more “instant” exposure. Maybe the tech focus. Or maybe, given Gawker Media’s recent history, the biggest paycheck for the information.

The writeup is suitably histrionic. Some email addresses got harvested, but repeatedly the article states that information or accounts were “compromised.” Yeah, and I walked down Main Street, wrote down the numbers on the houses, and “compromised” those houses too. My email address is on my Website, if you care to write me. I guess my email account is now “compromised” also.

Here’s another big secret that could lead to a major breach: many companies use the form “first initial-last” as the format of their email addresses. Some even use!


Anonymous Coward says:

Re: Re: Re:

But experts said that ICC-ID numbers could, in the right hands, be used to get other information, like an iPad’s location.

The breach “should be worrying people a lot,” said Nick DePetrillo, an independent security consultant.

Michael Kleeman, a communications network expert at the University of California, San Diego, said that AT&T should never have stored the information on a publicly accessible Web site. But he added that the damage was likely to be limited.

“You could in theory find out where the device is,” Mr. Kleeman said. “But to do that, you would have to gain access to very secure databases that are not generally connected to the public Internet.”

Nate (profile) says:

Re: Re: Re:

My email address is on my Website, if you care to write me. I guess my email account is now “compromised” also.

Exactly right… except for the fact that the email addresses that Apple collected were not intended for public distribution. If you want to give out your email address to the world then that’s your decision. No one else should make that decision for you.

But since you obviously don’t mind people knowing your private contact information, may I have your cell number too? Just leave it here in this thread and I’ll write it down later. Thanks.

Michael (profile) says:

Re: Re: Re: Re:

FYI – Email – not secure. Email addresses can be randomly “discovered” pretty easily. It’s an address, they are public intentionally.

The only breach of much significance I see is the hackers have managed to connect the Id of a bunch of iPads to the actual users. Assuming you can capture the ID of the iPad when it connects to a network or to the internet, this could be a bit of an issue that makes it reasonably possible to connect some activity to a person.

The other news item here is that AT&T was completely incompetent in making this possible. Oh wait, their incompetency is not much of a surprise.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...