AT&T Leaks Emails Addresses of 114,000 iPad Users 284
Hugh Pickens writes "Daily Tech reports that in what is one of the biggest leaks of email addresses in recent history, a group called Goatse Security has published the personal email addresses of 114,067 iPad 3G purchasers in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed. Apparently AT&T left a script on its public website, which when handed an ICC-ID would respond back with the email address of the subscriber. This apparently was intended for an AJAX-style response inside AT&T's web apps. Gawker reports that it's possible that confidential information about every iPad 3G owner in the US has been exposed. 'This is going to hurt the telecommunications company's already poor image with iPhone and iPad customers, and complicate its very profitable relationship with Apple,' writes Ryan Tate, adding that the leak is likely to unnerve customers thinking of buying iPads that connect to AT&T's cellular network. 'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.' In a statement, AT&T says that the issue was escalated to the highest levels of the company and that it has essentially turned off the feature that provided the email addresses. 'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"
Re:Goatse? Really? (Score:5, Informative)
I'm not fucking joking.
Additionally, this may be a Slashdot first: The GNAA first post is actually the article itself.
Re:Bad move, Apple (Score:5, Informative)
Contractual obligations. Here [engadget.com]'s some info.
Basically, Apple signed a five-year deal in 2007 because they badly needed a carrier who was willing to sink many millions into the release.
Here's the thing that sucks for early adopters: If you bought in '07, you had to sign a two-year deal with AT&T. Par for the course for a phone the way we've got it structured in the US. But after your two years are up, you'd still be stuck with AT&T for another three years due to the 5-year deal they have with Apple. Either that, or jailbreak your phone, etc.
Practically, though, the extra three years are no big deal for the early adopters... surely most of them would move onto a new phone after two years, since they are early adopters.
Re:Goatse Security (Score:0, Informative)
Apple users are used to having their anuses stretched open, both by Apple and by other men. It makes sense that Goatse Security would be the group to gain access to their personal information.
Cough (Score:3, Informative)
http://www.citrix.com/English/ps2/products/product.asp?contentID=1689163 [citrix.com]
"Citrix makes it easy to use enterprise applications, including Windows applications, on your iPhone, Blackberry, Android and Windows mobile devices on-demand."
Re:Bad joke (Score:4, Informative)
>A computer security consultant was convicted in the UK for typing "/../../" after a URL and hitting enter
Wow I just realized what that does.
That's about the lowest definition of "hacking" you can possibly have. It's more like basic literacy.
Re:Goatse? Really? (Score:5, Informative)
Ummmm...apparently, actually true [goatse.fr]. It really is a division of the GNAA. Makes me wonder how accurate this story is.
Re:Bad joke (Score:5, Informative)
Personuppgiftslagen / personal data law [riksdagen.se]
Google translation (enhanced by hand ..)
Safety measures
31 The liable data manager must take appropriate technical and organizational measures to protect the personal data processed. These measures must achieve a level of security that is appropriate with regard to
a) the technical options available,
b) what it would cost to implement the actions;
c) the specific risks involved in the processing of personal data, and
d) how sensitive the treated personal information is.
When the liable data manager uses a personal data assistant, the liable data manager must ensure that the personal data assistant can implement the security measures required and ensure that the personal data assistant actually take those measures.
The regulatory authority may decide on security measures.
Re:Doesn't Matter (Score:3, Informative)
Was the summary tl;dr for you? And for everyone who modded you up?
Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads. [emphasis added]
Re:Bad joke (Score:3, Informative)
There was no need to retrieve over 100,000 addresses before notifying AT&T nor was there any need to share the gaping security hole with others as was also done.
http://security.goatse.fr/ [goatse.fr]
Re:Goatse? Really? (Score:1, Informative)
Name: David J Moore
Alias: kunwon1
Email: dave.j.moore@gmail.com
Occupation: Unemployed
Eye color: Brown
Hair color: Ginger
Tel: 1.8157517281
Location: 217 W Cortland Center Road
Cortland, IL 60112
Re:Goatse? Really? (Score:1, Informative)
> The sad truth of the matter is that even idiots get lucky eventually.
They've also found holes in Safari and Firefox, actually.
If you think this story was bad, you should've seen some of the others in the Firehose. Nothing but bad puns based on gaping holes.
Re:Doesn't Matter (Score:1, Informative)
I did, did you use your brain or just accept what the doucebags at gawker said as fact?
So, by their and your account, if I decide to sell my product exclusively at a store, and you use a credit card, and said credit card number is stolen, it's my fault and not the store's?
Better analogy, an HTC phone is available only at Verizon, so to get this phone I have to subscribe to Verizon's service. To do this, I have to give up personal information and a credit card. Once again, someone gains access to my personal information through a data breach at Verizon, it's HTC's responsibility?
Complete bullshit to you, sir.
Re:Bad joke (Score:5, Informative)
We still call ourselves hackers, and revel in the thrill that outsiders think we are elite master cyber-criminals who get blowjobs while typing quickly on our keyboards, like in that film with Halle Berry.