Group Behind ATandT Data Leak Responds to Controversy

Goatse Security, the group behind the leak of 114,000 e-mail addresses belonging to Apple iPad owners, defends its actions in response to criticism about responsible disclosure and in the face of what has now become an FBI investigation.

The group that gained access to 114,000 e-mail addresses belonging to Apple iPad 3G owners has taken to the blogosphere to defend itself, while the FBI has announced that it is investigating the incident.

Goatse Security revealed June 9 that it had obtained the e-mail addresses using a script that exploited a feature on the AT&T Website. Among the addresses revealed by the leak were those of New York City Mayor Michael Bloomberg and numerous military personnel and prominent corporate executives.

In response, FBI spokesperson Lindsay Godwin confirmed in an e-mail to eWEEK that the agency was "aware of these possible computer intrusions and has opened an investigation to address the potential cyber-threat."

The situation has touched off a debate about responsible disclosure, with AT&T stating that Goatse Security never contacted it with the findings. In a blog post June 10, Goatse Security responded to the controversy about its methods by stating that the timeline of events "speaks for itself."

The group's post said, "The Goatse Security analyst responsible for the discovery personally verified this hole was closed Tuesday and no longer a threat to the public before we went to Ryan Tate at Gawker with the data set and attack details. Ryan Tate was the only one to receive our data set, and what results from it he published were redacted to prevent the compromise of those involved."

The post continued, "All data was gathered from a public Web server with no password," meaning it was "accessible by anyone on the Internet." Therefore, "There was no breach, intrusion or penetration," the group argued. "We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch" before sharing the information with Gawker.

"This disclosure needed to be made," the group wrote. "iPad 3G users had the right to know that their e-mail addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their e-mail address)."

Since the iPad's launch, Apple has reportedly sold more than 2 million of the devices.