This hasn’t been AT&T’s month. First, security researchers found a loophole in the company’s Web site that could be used to reveal e-mail addresses for tens of thousands of Apple iPad customers. Now, some users are reporting that when they log in to their AT&T accounts to pre-order the iPhone 4 they are apparently given access to the account information of other people.
“This is how it happens: A customer tries to log into their AT&T account to order a new iPhone 4 upgrade. Despite entering their username and password, the AT&T system would take them to another user account,” reported gadget blog Gizmodo, which broke the news.
Some users said when they refreshed the Web page with the wrong account information, the site returned the correct account information.
In a statement sent to Gizmodo, AT&T said it couldn’t replicate the problem but noted that reports of the problem indicated some data, such as Social Security numbers and credit card numbers was not disclosed.
An AT&T spokesman did not respond to an e-mail request for comment about the report, which came amidst complaints that AT&T’s servers weren’t prepared to handle a surge in pre-orders for the iPhone 4.
On Monday, AT&T apologized for a leak that disclosed e-mail address for more than 100,000 iPad customers, blaming hackers. The e-mail addresses were disclosed after a group called Goatse Security discovered that entering a serial number for an iPad SIM card into an application on AT&T’s Web site would reveal the owner’s e-mail address. They wrote an application that would randomly generate serial numbers and submit them to the Web site, collecting the e-mail addresses returned by the site.
Goatse security sent the e-mail addresses collected from AT&T to Gawker, which first reported the privacy breach.