On Sunday, AT&T sent an email to iPad 3G customers, notifying them of last week’s highly publicized security breach. The breach was due to a weakness in AT&T’s servers, which allowed hackers to access 114,000 email addresses, using brute force methods.
The letter, written by AT&T senior vice president and chief privacy officer Dorothy Attwood, explained that a number of iPad 3G owners’ email addresses and ICC-IDs for their iPads were made public through a weakness in AT&T’s website. The company apologized for the security error, while at the same time blaming Goatse Security for exposing the weakness.
At issue was a function designed to make logging into an iPad 3G owner’s AT&T account easier. By sending the ICC-ID to the site, the device was able to pre-populate the email address of the user. Goatse Security basically pummeled the site with thousands upon thousands of possible ICC-IDs. For those that were valid, the email address associated was returned.
In the email, Attwood refers to Goatse Security as “self-described hackers.” She added that the group “deliberately went to great efforts” to gain access to customers’ private information, and used the list they put together “for their own publicity.”
While on Thursday, the FBI said it was investigating the security breach, calling it a “potential cyberthreat,” in a recent blog post on the Goatse Security website, a member of the group defended its actions. The post made the following points:
I want to summarize this explicitly:
- All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.
- The dataset was not disclosed until we verified the problem was fixed by the vendor.
- The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.
Realistically, this is an embarrassment for AT&T, and also for Apple, as AT&T continues to be its BFF with regards to iPads and iPhones. None other than Apple CEO Steve Jobs alluded to the carrier’s network issues at D8 recently, and there are many who cannot wait for the iPhone to reach some other carrier (and the most popular vote-getter there is Verizon).
Here is the full text of AT&T’s email to customers:
June 13, 2010
Dear Valued AT&T Customer,
Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. I am writing to let you know that no other information was exposed and the matter has been resolved. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.
Here’s some additional detail:
On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.
The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.
As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.
I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected.
While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.
AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.
AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer.
Senior Vice President, Public Policy and Chief Privacy Officer for AT&T