In what may be Apple’s worst security breach, email information from 114,000 iPad owners has been made public. This hack was discovered and exploited by a group calling themselves Goatse Security. It revolves around a simple feature that makes it easier for customers to sign up for their 3G service. By sending the ICC-ID number from the individual iPad, AT&T’s software could auto-fill the user’s email address in the form and save them from typing it. Goatse was easily able to exploit this feature and grab email addresses by guessing ICC-ID numbers. While this little feature probably saved users a few keystrokes, I doubt the benefits were worth exposing their email addresses.
Are You At Risk?
Anyone who bought an iPad 3G could potentially be at risk. While AT&T has since shut down the exploit, there is no way to tell if your specific information was shared. Gizmodo made reference to a list of 114,000 emails that they received, but they are not sharing this list. Goatse Security may have shared information with others. The only way you can really tell if your information was compromised would be if you saw an increase in spam activity.
Does This Really Matter?
In this case, only email addresses were leaked. Besides a little spam, is there anything to worry about? It’s not really about what was leaked here, but that information was leaked at all. Work email addresses from “dozens of CEOs, military officials, and top politicians” were made public. AT&T knows much more about you than your email address. This breach could indicate deeper issues at AT&T in regards to privacy. In this case, they set up a server which held your private information and was accessible by anyone with an Internet connection. That server freely gave away your private email address in exchange for a number that is plainly on display on the outside of your iPad. Who is to say they haven’t made this same mistake elsewhere?
In an interview with Gizmodo and a statement released later, AT&T seems to want to avoid some of the blame. They try to play up how Goatse Security didn’t disclose the breach to them first and play down the fact that is was “only” email addresses that were leaked. Their statement follows.
AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.
This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
The person or group who discovered this gap did not contact AT&T.
We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.