Over 114,000 Accounts Revealed To “Hackers” Due To Security Breach.
Last week Goatse Security was able to access over 100,000 iPad user e-mail addresses using AT&T’s customer website. Using an exploit involving the generation of fake SIM card serial numbers, they brought the flaw to AT&T’s attention. In an official e-mail of apology sent out to any iPad-3G users affected, AT&T Chief Privacy Officer Dorothy Attwood stated that AT&T “…took swift action to prevent any further unauthorized exposure of customer e-mail addresses”.
AT&T slammed the actions of Goatse Security in the email to customers, calling the security group “malicious”, and refer to them as “hackers” and saying they “deliberately went to great efforts with a random program to… capture customer email addresses”, and that Goatse “put together a list of these emails and distributed it for their own publicity”. AT&T also states that they will “cooperate with law enforcement in any investigation of unauthorized system access and [hope] to prosecute violators to the fullest extent of the law”.
In a June 14th article, Escher Auernheimer of Goatse security says that it’s time to clear the air. Goatse Security believes that their intentions were in the best interests of the public. Towards the end of the article, Auernheimer states that “We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure”.
Certain individuals are nervous about such security flaws. Ed Hansberry of InformationWeek.com states that with certain information related to the SIM card serial numbers, “you can get the billing name on the account… and the ability to track the [device] as it moves from tower to tower”. In his article, Hansberry recommends that people with “hacked” accounts should demand a new SIM card from AT&T. Hansberry, however, later states that such attacks are very unlikely, unless you are a high-profile target like Rahm Emmanuel.
AT&T states that there should be cause for alarm because only e-mail addresses were exposed, and that neither the contents of any customer’s iPad nor any other account information was ever at risk. In addition, AT&T states that 3G service for other devices was not affected, and that the contents of any client’s email, iPad or account were ever at risk of exposure.
However, AT&T along with CNET and other internet resources advises that you exercise caution when opening any unsolicited emails, even official looking ones and emails received from friends. Such emails could be attempts to “phish” (steal important information by making users think the website they are on is official) important data, or even contain customized iPad malware.
Numerous U.S. Government e-mail addresses were exposed in the incident, including that of White House Chief of Staff Rahm Emmanuel. Promptly after discovering situation on Thursday, the FBI launched an investigation into the incident.
Citations and further reading:
CNET coverage of the incident:
CNET FAQ for those affected:
Goatse’s Response letter to AT&T:
Ed Hansberry’s article:
Official letter from AT&T: