The Federal Bureau of Investigation is investigating the breach on AT&T servers that exposed the e-mail address and mobile SIM IDs of more than 114,000 iPad 3G owners, including high-profile early adopters like Chief of Staff Rahm Emanuel and New York City Mayor Michael Bloomberg.
The agency said on Thursday that it is looking into "the potential cyber threat" from the breach.
AT&T Inc. said it has no comment. The Dallas-based phone company acknowledged Wednesday that it had exposed the e-mail addresses through a Web site, and had closed the breach.
The vulnerability only affected iPad users who signed up for AT&T's "3G" wireless Internet service.
An AT&T Web site could be tricked into revealing an iPad owner's e-mail address when supplied with a code associated with their particular iPad. A hacker group that calls itself Goatse Security said it got the site to cough up more than 114,000 e-mail addresses by guessing which codes would be valid.
The group said it contacted AT&T and waited until the vulnerability was fixed before going public with the information. AT&T said the problem was fixed Tuesday but that it was alerted to it by a business customer.
Apple Inc., the maker of the iPad, has not commented on the breach, referring all questions to AT&T.
AT&T has apologized and said it will notify all iPad users whose e-mail addresses may have been accessed.
AT&T sent out a letter to customers apologizing for the recent security breach :
"On June 7 we learned that unauthorized computer ‘hackers’ maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.
The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.
As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password."
New York Mayor Michael Bloomberg's e-mail address was among those exposed, but the billionaire media mogul shrugged it off Thursday and said he didn't understand the fuss.
"It shouldn't be pretty hard to figure out my e-mail address," Bloomberg said, "and if you send me an e-mail and I don't want to read it, I don't open it. To me it wasn't that big of a deal."
Before you are able to 'add your comment'
you need to login into your 2SPACE® PASSPORT.
If you don't have a 2SPACE® PASSPORT you
can create one for free.