AT&T Security Hole Revealed Email Addresses Of iPad Owners

from the whoops dept

Apparently, a security vulnerability in the way AT&T set up its network allowed hackers to capture the email addresses of 114,000 iPad owners. The breach was pretty basic stuff: if you fed an iPad ID number to a script that was publicly available on AT&T's website, it returned to you the email address associated with that ID. The hackers quickly set to testing out tons of likely IDs, and got back all those email addresses, including those of top execs at a bunch of big media companies, such as the CEO of the NY Times, CEO of Time, Inc., the President of News Corp, the CEO of Dow Jones and New York City mayor Bloomberg. Oh yeah, also a bunch of government emails: "Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others." AT&T issued the expected "oops" statement soon after this was exposed.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: email addresses, ipad, security hole
Companies: at&t


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Jeff, 9 Jun 2010 @ 7:07pm

    This is why I am a PC and don't own the iCrap.

    link to this | view in chronology ]

    • identicon
      Mike, 10 Jun 2010 @ 6:21am

      Re:

      Um... So vunerability on AT&T's website = Apple Sucks!

      Am I missing something here... ? (cough troll)

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jun 2010 @ 9:12pm

    What? A blog broke this story? Not the New York Times? I'm so confused.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jun 2010 @ 10:11pm

      Re:

      What? A blog broke this story? Not the New York Times? I'm so confused.

      The group that exploited the security hole basically gave them the story directly. Why them and not, say, the NYT? Maybe the more "instant" exposure. Maybe the tech focus. Or maybe, given Gawker Media's recent history, the biggest paycheck for the information.

      The writeup is suitably histrionic. Some email addresses got harvested, but repeatedly the article states that information or accounts were "compromised." Yeah, and I walked down Main Street, wrote down the numbers on the houses, and "compromised" those houses too. My email address is on my Website, if you care to write me. I guess my email account is now "compromised" also.

      Here's another big secret that could lead to a major breach: many companies use the form "first initial-last name@example.com" as the format of their email addresses. Some even use First.M.Last@example.com!

      OH NOES I HAVE COMPROMISED THE ACCOUNTS OF MILLIONS!

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Jun 2010 @ 12:07am

        Re: Re:

        http://www.nytimes.com/2010/06/10/technology/10apple.html?ref=technology

        But experts said that ICC-ID numbers could, in the right hands, be used to get other information, like an iPad’s location.

        The breach “should be worrying people a lot,” said Nick DePetrillo, an independent security consultant.

        Michael Kleeman, a communications network expert at the University of California, San Diego, said that AT&T should never have stored the information on a publicly accessible Web site. But he added that the damage was likely to be limited.

        “You could in theory find out where the device is,” Mr. Kleeman said. “But to do that, you would have to gain access to very secure databases that are not generally connected to the public Internet.”

        link to this | view in chronology ]

        • identicon
          abc gum, 10 Jun 2010 @ 5:15am

          Re: Re: Re:

          But experts say that Street Addresses could, in the right hands, be used to get other information, like a phone number.

          An independent security consultant tells everyone they should be worried - a lot.

          Its all fun and games until someone puts an eye out.

          link to this | view in chronology ]

      • icon
        Nate (profile), 10 Jun 2010 @ 5:48am

        Re: Re:

        My email address is on my Website, if you care to write me. I guess my email account is now "compromised" also.

        Exactly right... except for the fact that the email addresses that Apple collected were not intended for public distribution. If you want to give out your email address to the world then that's your decision. No one else should make that decision for you.

        But since you obviously don't mind people knowing your private contact information, may I have your cell number too? Just leave it here in this thread and I'll write it down later. Thanks.

        link to this | view in chronology ]

        • identicon
          Michael, 10 Jun 2010 @ 6:32am

          Re: Re: Re:

          FYI - Email - not secure. Email addresses can be randomly "discovered" pretty easily. It's an address, they are public intentionally.

          The only breach of much significance I see is the hackers have managed to connect the Id of a bunch of iPads to the actual users. Assuming you can capture the ID of the iPad when it connects to a network or to the internet, this could be a bit of an issue that makes it reasonably possible to connect some activity to a person.

          The other news item here is that AT&T was completely incompetent in making this possible. Oh wait, their incompetency is not much of a surprise.

          link to this | view in chronology ]

          • icon
            Nate (profile), 10 Jun 2010 @ 7:58am

            Re: Re: Re: Re:

            Sure, email addresses are public by themselves (just as phone numbers and home addresses), but meaningless without an association with a person. The association between a person and an email address is not intended to be public knowledge unless the person decides to make that information available.

            link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2010 @ 8:39am

    hollywood is now in state of RED ALERT

    all there toys are comprimised OOOOHHH NOOO
    the information gleened will tell a tale of [how many exploited] morons

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2010 @ 8:40am

    guess not having me the user choose better security is well haha on you apple

    hhahaahahaaa

    link to this | view in chronology ]

  • icon
    Chuck Norris' Enemy (deceased) (profile), 10 Jun 2010 @ 12:07pm

    The List

    Hackers: So now we have a list of 114k hipster-suckers!

    link to this | view in chronology ]

  • identicon
    Steven, 10 Jun 2010 @ 8:10pm

    unlock at&t

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.