A security flaw in one of AT&T’s customer-identification scripts has allowed a group of 4chan-associated hackers to extract as many as 114,000 email addresses of iPad owners. AT&T has apologized and explained the flaw and data leaked. Essentially, a bit of open information (the SIM card’s ICC-ID) was tied to a piece of private information (the iPad owner’s email address) so that on encountering certain AT&T fields, it would automatically fill in the field with the appropriate email. Think the “Remember this password?” notifications that pop up when you register for a site, but a little more low-level.
The hackers, a group known as Goatse Security (I’ll let you work out the reasoning for the name yourself), organized a brute-force attack in which they pummeled a public AT&T script with semirandom ICC-ID numbers, which would return nothing if invalid but an email address if valid. A few hours later, they had the ICC-IDs and email addresses of everyone from Michael Bloomberg and Diane Sawyer to a Mr. Eldredge, who commands a fleet of B-1 bombers.
