Hackers: Data Breach Exposed iPad Owners' Personal Info
Flaw in AT&T network revealed iPad owners' e-mail addresses, hackers say.
June 9, 2010 -- A security flaw in AT&T's network exposed the e-mail addresses of more than 100,000 owners of Apple's 3G iPad, according to a report published by Gawker today.
Calling it the "most exclusive e-mail list on the planet," Gawker said the list of exposed owners included New York Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel and other powerful figures in finance, media and politics.
The security hole was uncovered by Goatse Security, a group known among security experts as hackers who enjoy pulling Web pranks, Gawker reported. Still, the group previously has uncovered flaws in browsers Firefox and Safari, Gawker said.
When contacted by ABCNews.com, a man who asked to be named as a Goatse employee confirmed Gawker's report.
"It's absolutely real," he said, adding that the group gave the Gawker reporter their data set and he was able to verify the information.
The employee said someone in his organization learned that when given an iPad owners' unique identification number, a program on AT&T's website would return the e-mail address connected to that account.
Once the hole was uncovered, he said, the group was able to write a script that would automatically predict ID numbers and return the associated e-mail addresses.
In about six hours, he said, the group was able to scrape information for about 114,000 iPad 3G owners, but he did not say how many iPad owners could have been affected in total.
He said the flaw was discovered about a month ago and AT&T was notified this week. He added that the company since has patched the hole.
AT&T said it was notified of the breach on Monday by a customer, but was not told by Goatse.
"This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses," a written statement by AT&T said. "The person or group who discovered this gap did not contact AT&T."
If lawyers determine that a breach has indeed occurred, according to state data breach laws, Apple and AT&T will need inform the affected iPad owners. In its statement, AT&T said it already plans to inform customers.
"We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS [iPad identification numbers] may have been obtained," the company statement said. "We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."
Apple did not immediately respond to a request for comment.
Big Names Possibly Exposed; Unsurprising Programming Error?
From the data set provided to them, Gawker said the list of compromised accounts included those belonging to high-profile individuals at the New York Times Company, Dow Jones, Conde Nast, Google, Amazon, NASA, Goldman Sachs, the Senate and others.
Aaron Higbee, co-founder of the Intrepidus Group, a security firm that specializes in mobile security, did not sound surprised by the reported breach.
"We've seen examples of this sort of thing with carriers before," he said. "It seems like a mistake a programmer would make."
Higbee said his company has encountered similar holes in which a programmer assumes that data can't be manipulated to look as though it came from the device. A fix would have been to make sure that the program verified that the unique number was coming from the device itself before returning the corresponding e-mail address.
This data breach comes just months after Gizmodo, a Gawker-owned technology blog, published an exclusive story on a leaked next-generation Apple iPhone.