A group of cybercriminals recently stole the e-mail addresses of over 100,000 Apple iPad users from AT&T — without actually having to hack into the company’s network.
How’d they do it? By exploiting a minor convenience feature enabled for users when they sign into AT&T’s website, the mobile carrier told tech blog Gizmodo.
When iPad users sign up for 3G service, they’re asked for their e-mail address, which AT&T then automatically associates with the serial number of the iPad’s SIM card. So when users go to log into AT&T’s site using the iPad, their e-mail address is already filled in.
The hacking group was able to write a script that sent random serial numbers as an HTTP request until they returned an address. They ended up with a stash of 114,000 addresses.
AT&T has since turned off the password storing feature.