The e-mail addresses of more than 114,000 iPad owners in the US were leaked following a brute-force attack on carrier AT&T's website this week.
The details, which were released in full to Gawker
, included the ICC-ID of the microSIM within 3G-enabled iPad units and the e-mail address of its registered user - although no other details, such as address or payment information, are thought to have been included.
Those affected by the breach are thought to include members of the US government and military along with the private e-mail addresses of entertainment industry moguls including the CEO of the New York Times, the president of News Corp., and the founder of Bloomberg. Perhaps the most interesting entry on the list of known iPad owners, however, is William Eldredge - commander of the largest B-1 strategic bomber group currently active in the US.
The attack - which involved sending random ICC-ID codes to a script on AT&T's website, which has since been disabled, and receiving e-mail addresses back if they proved to be valid - was carried out by the infamous Goatse Security group. While it is not thought that Goatse Security profited from the attack in any way, AT&T is claiming that it was alerted to the breach by a "business customer
," rather than the security group that originally discovered the flaw.
However, the group does admit to having shared the PHP script which enabled the brute-force attack with un-named third parties - so it's possible that far more than 114,000 e-mail addresses have been exposed, and that the information is more than likely to make its way into the hands of spammers and other ne'er-do-wells sooner rather than later.
AT&T has apologised for the security breach, and promised to continue to investigate the issue and "inform all customers who's e-mail addresses and ICC IDs may have been obtained
" as soon as its investigations are complete.
Are you surprised that such a gaping security hole existed on AT&T's website, or just pleased that it only appears to have been e-mail addresses - and not bank details or passwords - that were leaked? Share your thoughts over in the forums