Hackers: Data Breach Exposed iPad Owners' Personal Info

A security flaw in AT&T's network exposed the e-mail addresses of more than 100,000 owners of Apple's 3G iPad, according to a report published by Gawker today.

Calling it the "most exclusive e-mail list on the planet," Gawker said the list of exposed owners included New York Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel and other powerful figures in finance, media and politics.

VIDEO: iPad Security Breach
iPad Security Breach: E-Mail Addresses Hacked

The security hole was uncovered by Goatse Security, a group known among security experts as hackers who enjoy pulling Web pranks, Gawker reported. Still, the group previously has uncovered flaws in browsers Firefox and Safari, Gawker said.

When contacted by ABCNews.com, a man who asked to be named as a Goatse employee confirmed Gawker's report.

"It's absolutely real," he said, adding that the group gave the Gawker reporter their data set and he was able to verify the information.

The employee said someone in his organization learned that when given an iPad owners' unique identification number, a program on AT&T's website would return the e-mail address connected to that account.

Once the hole was uncovered, he said, the group was able to write a script that would automatically predict ID numbers and return the associated e-mail addresses.

VIDEO: ABCs Andrea Smith shares essential applications for the iPad.
null

In about six hours, he said, the group was able to scrape information for about 114,000 iPad 3G owners, but he did not say how many iPad owners could have been affected in total.

He said the flaw was discovered about a month ago and AT&T was notified this week. He added that the company since has patched the hole.

AT&T said it was notified of the breach on Monday by a customer, but was not told by Goatse.

"This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses," a written statement by AT&T said. "The person or group who discovered this gap did not contact AT&T."

If lawyers determine that a breach has indeed occurred, according to state data breach laws, Apple and AT&T will need inform the affected iPad owners. In its statement, AT&T said it already plans to inform customers.

"We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS [iPad identification numbers] may have been obtained," the company statement said. "We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."

Apple did not immediately respond to a request for comment.

Big Names Possibly Exposed; Unsurprising Programming Error?

From the data set provided to them, Gawker said the list of compromised accounts included those belonging to high-profile individuals at the New York Times Company, Dow Jones, Conde Nast, Google, Amazon, NASA, Goldman Sachs, the Senate and others.

Aaron Higbee, co-founder of the Intrepidus Group, a security firm that specializes in mobile security, did not sound surprised by the reported breach.

"We've seen examples of this sort of thing with carriers before," he said. "It seems like a mistake a programmer would make."

Page
  • 1
  • |
  • 2
Join the Discussion
You are using an outdated version of Internet Explorer. Please click here to upgrade your browser in order to comment.
blog comments powered by Disqus
 
You Might Also Like...