AT&T sends an apologetic email

MOBILE NETWORK OPERATOR AT&T has apologised to its customers about the email hack that exposed the personal email addresses of over 100,000 Ipad buyers.

Goatse Security, a firm that we link to save Google search embarrassments, said last week that it had exploited a flaw in AT&T's protocols, letting it harvest the data of some 114,000 Ipad 3G owners.

Embarrassingly for AT&T, the hack attack exposed the email details of its customers, and embarrassingly for these customers - which included the White House chief of staff, New York mayor Michael Bloomberg and numerous senior people in the military, media and commerce sectors - it also revealed that they had bought Ipads.

Again embarrassingly, despite the email it sent out not being too apologetic, it has taken AT&T almost a week to respond and email its users about what happened, leaving them forced to take the word of a firm whose name has now been associated with one of the Internet's grubbiest locals, the aforementioned Goatse.

In its email, which comes from Dorothy Attwood, senior vice president and chief privacy officer at AT&T, and was sent 13 June, the firm described Goatse as 'hackers', explaining that it had "maliciously exploited a function designed to make your Ipad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your Ipad for 3G service."

In an attempt to assuage users fears, Attwood added that the hack would have taken a lot of effort to exploit, and claimed that it granted Goatse nothing but "the barest information".

"I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk.... AT&T acted quickly to protect your information - and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer."

We don't know how understanding these customers were, but we do know that the response has irked one party.

Yes, Goatse Security has replied to the letter, and in a statement posted on its website the firm said, "So, AT&T calls us malicious in their letter to their customers. I think this calls for a statement to clear the air."

Goatse said that the fact that AT&T had emailed such a large number of its users opened itself up to even more embarrassment, as it showed a poor understanding of the wider implications of its security vulnerabilities.

"AT&T mailing so much of their subscriber base exposes a potential I have been suspicious of. They were likely not logging their httpd and had no idea how to verify the true scope of the disclosure, so they had to mail a huge number of customers," wrote Escher Auernheimer on the Goatse website.

"If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by the RBN or the Chinese, or some other criminal organisation or government (if it wasn't already)," he added.

When it comes to the 'great efforts' the firm apparently went to to carry out the attack, Goatse was equally scathing. "I'll tell you this," said Auernheimer, "the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as 'great efforts', so be it."

Heaping more shame on top of AT&T, Auernheimer said that Goatse had given it ample warning to inform its customers of the issue before it went public with the details of the hack. Describing the lag as "not acceptable", he added that this sluggish approach could have left the same security holes open to other, more malicious organisations.

"It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organisation might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability", he warned. "Even in this disclosure, which I feel they would not have made if we hadn't publicised this vulnerability, AT&T is being dishonest about the potential for harm."

We are off to wash our hands, this whole thing is just too grubby. µ