iPad 3G email list exposed by AT&T hack

By Chris Davies/June 10, 2010 2:18 am EST

An AT&T database hack has left 114,000 iPad WiFi + 3G owners with their email addresses exposed. The hackers, known as Goatse Security, apparently used publicly shown iPad 3G ICC IDs – the identifying codes for the microSIMs used in the WWAN-enabled iPad, and which many owners unwittingly revealed in unboxing galleries online – and some scriptwork to take advantage of a loophole in AT&T's website. For their part, AT&T say they have closed off that loophole, and that they will be contacting everyone whose email address may have been compromised.

However, they also counter some of Goatse Security's statements, namely the hackers' claim to have contacted AT&T with regards the security breach. Instead, AT&T say they were warned by a business customer:

"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.

This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.

The person or group who discovered this gap did not contact AT&T.

We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.

We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."

Among the email addresses in the database are government officials, high-ranking executives at tech, media and entertainment companies, and of course thousands of regular users who would probably not like to have their contact details floating out in the wild. As for potential applications of the ICC IDs themselves, views of experts seem mixed; some say there has been no prior evidence of hacks connected to ICC ID codes alone, while others believe some privacy-intrusion could be possible – such as tracking user location via their nearest cell tower – but only if the people with the codes had access to non-public databases.