AT&T sends out iPad 3G email leak acknowledgment
Following the web attack that enabled black hat hackers to obtain a list of private email addresses of its iPad 3G subscribers, AT&T has mailed out a vaguely apologetic acknowledgment of the event explaining what happened.
The event resulted in an FBI investigation of the attack, which exploited a feature on AT&T's website that auto-populated a user's email address on record when their iPad 3G SIM card serial number was entered into the page.
The attack used scripts to repeatedly poll the site for email addresses based on plausible serial numbers, resulting in a long list of emails tied to specific iPad SIM cards. although no other information was gained.
AT&T has since disabled the feature, so customers logging into the site will have to both enter their SIM card serial number and their email address.
A copy of the letter was posted by BGR (below).
The event resulted in an FBI investigation of the attack, which exploited a feature on AT&T's website that auto-populated a user's email address on record when their iPad 3G SIM card serial number was entered into the page.
The attack used scripts to repeatedly poll the site for email addresses based on plausible serial numbers, resulting in a long list of emails tied to specific iPad SIM cards. although no other information was gained.
AT&T has since disabled the feature, so customers logging into the site will have to both enter their SIM card serial number and their email address.
A copy of the letter was posted by BGR (below).
Comments
This is not a good corporate image for AT&T.
Should have been done on day one! why the long delay?
This is not a good corporate image for AT&T.
Name a company who has done better or who would do better in a similar situation. The issue was dealt with the same day it became known. Not bad for a company with over 1000,000 employees. How fast does Apple, Microsoft, and the rest deal with this sort of thing. Sometimes it's months before Apple patches a security issue. And then there's Adobe and it's Flash security issues.
Name a company who has done better or who would do better in a similar situation. The issue was dealt with the same day it became known. Not bad for a company with over 1000,000 employees. How fast does Apple, Microsoft, and the rest deal with this sort of thing. Sometimes it's months before Apple patches a security issue. And then there's Adobe and it's Flash security issues.
+1
"Vaguely apologetic?" The letter has a clear apology, unless of course you're predisposed to dislike anything AT&T does.
+1
I'm disgusted about the failure of AT&T to protect my data. Email addresses today, what else tomorrow? What a bunch of hacks. If the US took personal data security as serious of europe does, perhaps this would happen less often because it would hurt their bottom line. Personal Data should be protected by LAW here - not with a marketing promise. Just other example of how we give the keys to corporations.
-1
I didnt receive an e-mail. Does it mean my info was not in the compromised list? I also purchased the 3G/WiFi iPad on Day 1 (April 30th)
Yes
I didn't get that letter - and I signed up for 3G for my iPad on day 1.
See above...
So, they'll let your email address leak. But they won't even provide you the one from the woman who did the apology.
What I find funny is the earlier story where the head of AT&T threatened someone with legal action for emailing him. I doubt that we would be able to sue him if someone used our email address after this leak.
Hmm, "web attack" and "black hat" hackers to portray security researchers and their demonstration script? Black hat involve illegal activities or vandalism as a motivation, there was none. This is really becoming more and more weird, biased and in fine irrelevant over here.
"Following the web attack that enabled black hat hackers"
Hmm, "web attack" and "black hat" hackers to portray security researchers and their demonstration script? Black hat involve illegal activities or vandalism as a motivation, there was none. This is really becoming more and more weird, biased and in fine irrelevant over here.
Their motivation was self aggrandizement, and they handed the data over to a sleazy web tabloid for publication. I think black hat is a fitting description in this case, as is web attack. I might have used an even stronger adjective to describe them. The only things that belongs in quotes are "security researchers" and "demonstration script".
I'm disgusted about the failure of AT&T to protect my data. Email addresses today, what else tomorrow? What a bunch of hacks. If the US took personal data security as serious of europe does, perhaps this would happen less often because it would hurt their bottom line. Personal Data should be protected by LAW here - not with a marketing promise. Just other example of how we give the keys to corporations.
Are you kidding me?! The US government (because they are the ones supposedly responsible for making law) taking anything seriously to protect one's self-privacy?!
This is not a swipe at Obama by me for a change, so read on with an open mind.
I'll give you an example of how valued privacy is in America when it comes to protection by "LAW"!
There was a time in the U.S., pre 2003, when your telephone would ring off the hook, incessantly, from telemarketers selling their wares: magazine subscriptions, various products, various services, etc. They'd always call, it seems, right as you'd sit down for dinner, supper, or whatever you call your evening meal. You'd answer because "Caller ID" was not a prevalent feature by the phone company.
Congress, our beloved political A-holes at the time, passed "The Do-Not Call List" where people HAD to join the list to be effective and not have businesses call and if telemarketers called those on the list and the person filed complaints, I believe an $11,000 dollar fine would be issued to the company.
Here is the kicker, folks. According to the politicians, 'Do-Not Call' doesn't necessarily mean do not call for certain groups. Namely "charities" and you guessed it "politicians". So much for a noble idea and promise. Thanks to the exemptions, the phone rings incessantly off the hook near election day and any "hack" can pose as some charitable organization to try and rife the unwittingly with a very convincing script! Thanks Congress.
So back to the posters comments: "Personal Data should be protected by LAW here - not with a marketing promise."
Again, I rant: "Protected by LAW? Are you kidding me?!"
I am fine with this, it does place the blame outside of AT&T a bit much, so not as much of an apology as a 'It was not our fault, it was a couple of very crafty hackers', but I do understand it happens.
Well nowadays, it does seem to be the "popular thing to do" with regards to taking responsibility without taking responsibility and knowing where the true blame falls.
Obama and his fellow children in power have crafted the "Not Me!", "what we inherited" and "because of the Bush Administration" lines to an Art form, that makes me wonder when this kid will grow up and take responsibility for anything?! A poster found AT&T's actions 'disgusting' but to me, this incessant whining by those in Washington is truly quite disgusting!
Hey Obama, is it George Bush's fault for you spending more time on the 'Golf Course' VERSUS the Gulf Coast?!
"Vaguely apologetic?" The letter has a clear apology, unless of course you're predisposed to dislike anything AT&T does.
What about if I am predisposed to enjoy laughing at their misfortune?
I got my worthless letter. An apology really does nothing, there should be fines involved or I should get some discount on my service.
As I just demonstrated, I'm no fan of AT&T. That said, what....are you kidding? They did what they could do to fix the issue. You asking for fines is analogous to someone having their home robbed, where they lose a family members jewelry. You're then saying the victim(s) of the theft should be fined for allowing it to happen.
I'm disgusted about the failure of AT&T to protect my data. Email addresses today, what else tomorrow? What a bunch of hacks. If the US took personal data security as serious of europe does, perhaps this would happen less often because it would hurt their bottom line. Personal Data should be protected by LAW here - not with a marketing promise. Just other example of how we give the keys to corporations.
your email is available from all kinds of sources on the internet, and Google has all kinds of additional data on you that China is just itching to get their hands on!
Seriously, if you aren't using dummy emails for this stuff, (or something) you deserve to get spammed by the likes of Goatse (lamea$$ group of wannabes).
"Following the web attack that enabled black hat hackers"
Hmm, "web attack" and "black hat" hackers to portray security researchers and their demonstration script? Black hat involve illegal activities or vandalism as a motivation, there was none. This is really becoming more and more weird, biased and in fine irrelevant over here.
...they announced that they had released the script to unspecified others" outside of their organization - thus throwing the script into the wild. That constitutes asshattery more than blackhattery, but for them to go "we ain't done nothin' wrong", is a complete and utter fail. The key to the FBI investigation will be what their motivation was. If it was a deliberate attack on ATT to try and compromise specifically the iPad release and iPad users, that would be a potential civil litigation by Apple and ATT against Goatse. If they were just poking a discovered vulnerability and were simply careless in the script release they will probably get little more than stern looks.
I think it's interesting they went specifically after iPad owners, and not other handheld or wireless devices that were non-contract. Sound pretty much like a media grab.