Hackers: Data Breach Exposed iPad Owners' Personal Info

Flaw in AT&T network revealed iPad owners' e-mail addresses, hackers say.

ByABC News
June 9, 2010, 6:41 PM

June 9, 2010— -- A security flaw in AT&T's network exposed the e-mail addresses of more than 100,000 owners of Apple's 3G iPad, according to a report published by Gawker today.

Calling it the "most exclusive e-mail list on the planet," Gawker said the list of exposed owners included New York Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel and other powerful figures in finance, media and politics.

The security hole was uncovered by Goatse Security, a group known among security experts as hackers who enjoy pulling Web pranks, Gawker reported. Still, the group previously has uncovered flaws in browsers Firefox and Safari, Gawker said.

When contacted by ABCNews.com, a man who asked to be named as a Goatse employee confirmed Gawker's report.

"It's absolutely real," he said, adding that the group gave the Gawker reporter their data set and he was able to verify the information.

The employee said someone in his organization learned that when given an iPad owners' unique identification number, a program on AT&T's website would return the e-mail address connected to that account.

Once the hole was uncovered, he said, the group was able to write a script that would automatically predict ID numbers and return the associated e-mail addresses.

In about six hours, he said, the group was able to scrape information for about 114,000 iPad 3G owners, but he did not say how many iPad owners could have been affected in total.

He said the flaw was discovered about a month ago and AT&T was notified this week. He added that the company since has patched the hole.

AT&T said it was notified of the breach on Monday by a customer, but was not told by Goatse.

"This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses," a written statement by AT&T said. "The person or group who discovered this gap did not contact AT&T."

If lawyers determine that a breach has indeed occurred, according to state data breach laws, Apple and AT&T will need inform the affected iPad owners. In its statement, AT&T said it already plans to inform customers.

"We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS [iPad identification numbers] may have been obtained," the company statement said. "We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."

Apple did not immediately respond to a request for comment.