AT&T sent an e-mail to Apple iPad 3G owners impacted by the leak of 114,000 e-mail addresses last week. In the note, the company blames the incident on "unauthorized computer hackers" and promises to cooperate with the federal investigation into the incident.
AT&T sent a note to customers affected by the data leak that
exposed 114,000 e-mail addresses belonging to Apple iPad 3G owners
apologizing for the incident and condemning the actions of Goatse
In the note, AT&T Senior Vice President for Public Policy
Dorothy Attwood blamed the situation on "unauthorized computers
hackers" exploiting "a function designed to make your iPad log-in
process faster." According to the note, AT&T disabled the mechanism
that automatically populated the email address and now has an
authentication page log-in screen that requires the user to enter both
their e-mail address and their password.
"The self-described hackers wrote software code to randomly generate
numbers that mimicked serial numbers of the AT&T SIM card for iPad
- called the integrated circuit card identification (ICC-ID) - and
repeatedly queried an AT&T Web address," the note reads. "When a number generated by the hackers
an actual ICC-ID, the authentication page log-in screen was returned to
the hackers with the email address associated with the ICC-ID already
populated on the log-in screen."
"The hackers deliberately went to great efforts with a random
program to extract possible ICC-IDs and capture customer e-mail
addresses," it continues. "They then put together a list of these
e-mails and distributed it for their own publicity... Your password,
account information, the contents of your e-mail, and any other
personal information were never at risk. The hackers never had access
to AT&T communications or data networks, or your iPad. AT&T 3G
service for other mobile devices was not affected."
The note follows the start of an FBI investigation of the incident. Goatse Security has said it purposely
until the issue was patched before revealing the situation - and the
e-mail addresses they had harvested - to Gawker Media, which first
broke the story. In a blog post today
, the group defended its actions again.
"If not for our firm talking about the exploit to third parties who
subsequently notified them, they would have never fixed it and it would
likely be exploited by the RBN or the Chinese, or some other criminal
organization or government (if it wasn't already)," wrote
Goatse Security member Escher Auernheimer.
"AT&T had plenty of time to inform the public before our
disclosure," Auernheimer continued. "It was not done. Post-patch,
disclosure should be immediate- within the hour. Days afterward is not
acceptable. It is theoretically possible that in the span of a day
(particularly after a hole was closed) that a criminal organization
might decide to use an old dataset to exploit users before the users
could be enlightened about the vulnerability."
Last week, Gawker was contacted
the FBI and issued a preservation notice as part of the investigation.
According to the note, AT&T will also be cooperating as well.
"We will cooperate with law enforcement in any investigation of
unauthorized system access and to prosecute violators to the fullest
extent of the law," the note reads.