Apparently the list of accounts includes some 114,000 names and was stolen with the help of a script that took advantage of a security vulnerability in AT&T’s servers. The hackers made off with account names, email addresses, and SIM card identifier numbers.
A group calling itself “Goatse Security” claims to be behind the data security breach and said it used a script that’s openly available on AT&T’s Web site to make off with the account information coupled with some PHP code they crafted.
While the stolen account information can be used to spam iPad users, so far it looks like the hackers won’t be able to use the data to gain access to individual iPads. According to University of Virginia Computer Science PhD, Harsten Nohl, “Data connections are typically well encrypted… the disclosure of ICC-ID [SIM card codes] has no direct security consequences.”
“AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device,” AT&T spokesperson Mark Siegel told The Mac Observer. “This issue was escalated to the highest levels of the company and wascorrected by Tuesday; and we have essentially turned off the featurethat provided the e-mail addresses.”
He added that the “person or group who discovered this gap did not contact AT&T.”
While the security flaw the hackers took advantage of has been addressed, the company is still looking into the incident. “We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted,” Mr. Siegel said.
[This article has been updated with AT&T’s statement regarding the incident.]