Yesterday we reported on a massive security lapse by AT&T that rendered sensitive personal information about tens of thousands of iPad owners vulnerable. Hackers were able to extract 114,000 individual user’s personal email addresses and their ID used to authenticate them on AT&T’s network.
Some new information has come to light from Gizmodo, detailing how the hackers performed the hack – it’s not pretty reading.
AT&T wanted to offer a convenient way of letting users log into their 3G data plan accounts, auto-populating users email address on the dashboard by referencing the unique identifier (ICC-ID) of the users iPad.
The hackers, realizing this, produced a script that utilized brute force techniques to auto-generate thousands of unique ICC-ID’s, harvesting email addresses as the script went on.
It’s a situation where you can see what AT&T were trying to do, it’s such a shame that most tech-savvy users would recognize how the email addresses were generated. No passwords were stolen but that won’t stop thousands of iPad owners from looking at AT&T with even more of a suspicious eye.
Good idea, ultimately flawed. Some would say that is AT&T in a nutshell.