AT&T’s system got “hacked”, and iPad owners’ email addresses were harvested. So now appropriate departments have decided to send an email to somehow communicate what the frell is going on. Oh, and make sure that they’re taking it seriously.
First, I’m not quite sure if it was as much of a hack or just a clever way to use official feature. As I understand, the situation is similar to someone finding, that if, say, you call Voicemail system and then enter phone number, it’d say “Now recording message for Mr John Smith”, so you can use all possible phone numbers to find out who exactly uses it and what the name-to-number relations. In this case, this “hacking” was done to the log in system, that conveniently was offering email address of the person that’s trying to log in, based on the iPad ID in the header of the request.
And here’s the email (thanks, engadget)
June 13, 2010
Dear Valued AT&T Customer,
Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses.
My gosh! Email addresses were held prisoners! Well, just say it as it is — someone got list of client’s email addresses.
I am writing to let you know that no other information was exposed and the matter has been resolved. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.
A confidence in what? Email non-disclosure?
Here’s some additional detail:
On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service.
At this point I get a picture of poor innocent function, maliciously exploited by hacker thugs. I guess email is working!
The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address.
So, they call themselves “hackers”? Not AT&T?
When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.
My gosh! It’s like white pages but for email!
The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.
Um.. as opposed to non-deliberately exploiting feature of the log in process? When something like that is distributed it’s always for publicity. Sometimes even for a greater good, when the result is another security hole closed, though in this case it seems to be more of an annoyance and poor design of the log in system.
As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.
That would probably explain why online log in system was down for half a day or so. And now users don’t have email address pre-populated and need to enter more data. Thank you, evil hackers…
I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected.
Good to know.
While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.
Not quite sure how one could be alert to attempts to send unwanted email. I mean it’s spam, it’s always unwanted and there’s nothing you can do about it.
AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.
Apparently Gawker already was contacted by law enforcement and asked about the information on this “hack”. Given that it could probably be replicated by pretty much anyone once the hackers announced to the world how this information can be coerced from the AT&T’s servers, there will be more “persons of interest”…
Oh and that famous “take NNN seriously” is here again. I hope everything else is not a laughing matter either.
AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer.
Senior Vice President, Public Policy and Chief Privacy Officer for AT&T
All in all not bad. I hope there isn’t any other unintended “feature” out there that can be exploited in similar matter, or this whole emailing will become a periodic event.