AT&T issued an apology on Sunday for a hack that exposed thousands of iPad customers’ e-mail addresses last week and vowed to work with law enforcement to prosecute those responsible.
The group found that entering a correct serial number for the iPad’s SIM card, called an integrated circuit card identification (ICC-ID), the log-in page would return an e-mail address associated with that iPad. They wrote code that would randomly generate those serial numbers and queried the Web site until an e-mail addresses were returned, according to AT&T.
AT&T designed the site to automatically populate the e-mail field in order to make it easier for its customers to log in. AT&T has since changed the page to require an e-mail address and password to be entered.
“The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses,” wrote Dorothy Attwood, AT&T’s chief privacy officer, in an e-mail sent to affected customers. “They then put together a list of these e-mails and distributed it for their own publicity.”
The e-mail addresses were passed to Gawker.com. Goatse maintains that it did not directly contact AT&T but waited until the company fixed the problem before giving the e-mail addresses to Gawker and said it has since destroyed the data.
Nonetheless, the U.S. Federal Bureau of Investigation opened a probe last Thursday into whether Goatse Security broke the law.
AT&T said only the ICC-ID and e-mail address were exposed and that other personal account information and e-mail content were not. The hackers did not get access to AT&T data networks, according to the letter.
“We apologize for the incident and any inconvenience it may have caused,” Attwood wrote. “Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.”
AT&T will not offer any incentives to those customers affected, according to Mark Siegel, executive director for media relations.
Send news tips and comments to jeremy_kirk@idg.com