Apple iPad users' e-mail addresses harvested by hackers
- 10 June 2010
- From the section Technology
The US telephone company AT&T has blocked access to a website feature that revealed details of at least 114,000 iPad users' e-mail addresses.
Contact details for a range of high-profile figures, including White House Chief of Staff Rahm Emanuel are believed to be among those disclosed.
Hackers calling themselves Goatse Security revealed the flaw and shared the data with Gawker Media.
Experts played down the risks, saying little critical data had been lost.
AT&T, which is the only network offering iPad 3G services in the United States, said it would notify all iPad users whose e-mail adresses may have been accessed.
"We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted," the company said in a statement.
The vulnerability only involved iPad users who had signed up for AT&T's 3G wireless service. iPad users outside of the US were unaffected.
The breach involved a feature of AT&T's website, which would prompt users when they tried to log in to their AT&T accounts through their iPad.
The site would supply e-mail addresses for users, to enable easier log-in, based on a unique code stored in their iPad SIM card.
The hacker group which claims to have discovered the flaw simply bombarded the site with thousands of requests with made up codes, masquerading as valid requests from iPads.
Gawker Media, which has seen the list of e-mail addresses said it "includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg".
A representative for Goatse Security told the Associated Press that the group contacted AT&T and waited until the vulnerability was fixed before going public.
But AT&T said that it was alerted to the problem by a business customer.
Risk of attack
One concern raised by security experts is that cybercriminals might mount so-called phishing attacks.
They could theoretically create genuine-looking e-mails in the knowledge that individuals are iPad users and customers of AT&T, thereby tricking some into revealing further more useful confidential details.
But if you know the organisation somebody works for, e-mail addresses are often also quite easy to guess, so the value of the e-mail address data has been questioned.
Paul Ducklin, a technology expert from security firm Sophos, also pointed out in a blog entry: "Your e-mail address is revealed on the internet every time you use it to send e-mail.
"Whilst this breach is serious for having occurred, there does not seem to be any national security risk arising as a result, whether White House staffers were involved or not."