AT&T hole exposes iPad users' e-mail addresses

[Guest guest]

http://news.yahoo.com/s/ap/20100610/ap_on_hi_te/us_apple_ipad_data_breach

AT & T hole exposes iPad users' e-mail addresses

By JORDAN ROBERTSON, AP Technology Writer Jordan on, Ap Technology Writer

– 2 hrs 30 mins ago

SAN FRANCISCO – AT & T Inc. on Wednesday acknowledged a security weak spot that

exposed the e-mail addresses of apparently more than 100,000 users of Apple

Inc.'s iPad, a breach that could make those people vulnerable to

precision-targeted hacking attacks.

The vulnerability only affected iPad users who signed up for AT & T's " 3G "

wireless Internet service.

It involved an insecure way that AT & T's website would prompt iPad users when

they tried to log into their AT & T accounts through the devices. The site would

supply users' e-mail addresses, to make log-ins easier, based on unique codes

contained in the SIM cards inside their iPads. SIM cards are used to tell

cell-phone networks which subscriber is trying to use the service.

The hacker group that claims to have discovered the weakness — the group calls

itself Goatse Security — said it was able to trick AT & T's site into coughing up

more than 114,000 e-mail addresses, including those apparently of famous media

personalities and important government officials.

A representative for the group told The Associated Press late Wednesday that the

group contacted AT & T and waited until the vulnerability was fixed before going

public with the information. AT & T said the problem was fixed Tuesday but that it

was alerted to it by a business customer.

Gawker Media Inc.'s Valleywag website earlier reported on the breach.

AT & T said it will notify all iPad users whose e-mail addresses may have been

accessed.

" We take customer privacy very seriously and while we have fixed this problem,

we apologize to our customers who were impacted, " the company said in a

statement.

AT & T noted that the only information hackers would have been able to steal using

this attack were users' e-mail addresses. But that can be enough to launch a

highly effective attack, since the attacker also knows that the person receiving

the e-mail is an iPad user and an AT & T customer and would expect to receive

e-mail from Apple and AT & T about their accounts. Criminals could use that

knowledge to trick them into opening e-mails that plant malicious software on

their computers.

An Apple representative deferred requests for comment to AT & T.

Apple has sold more than 2 million iPads since they went on sale two months ago.

The iPad comes in two different flavors — one that only connects to the Internet

via Wi-Fi, and another that also can connect through AT & T's " 3G " cellular

network. The Wi-Fi-only models aren't affected by the breach. Apple hasn't

specified how many of each model it has sold.