iPad users’ e-mail addresses stolen

A group of cybercriminals recently stole the e-mail addresses of over 100,000 Apple iPad users from AT&T — without actually having to hack into the company’s network.

How’d they do it? By exploiting a minor convenience feature enabled for users when they sign into AT&T’s website, the mobile carrier told tech blog Gizmodo.

When iPad users sign up for 3G service, they’re asked for their e-mail address, which AT&T then automatically associates with the serial number of the iPad’s SIM card. So when users go to log into AT&T’s site using the iPad, their e-mail address is already filled in.

The hacking group was able to write a script that sent random serial numbers as an HTTP request until they returned an address. They ended up with a stash of 114,000 addresses.

AT&T has since turned off the password storing feature.

  • Leave it to criminals to find these kinds of loopholes, maybe IT departments should hire ex-convicts as consultants, like in the movie “Catch Me If You Can”…