AT&T Takes Heat for iPad Who’s-Who List Leak

The email addresses and device IDs of more than 100,000 owners of 3G-enabled iPads have been exposed in a security breach, according to wireless provider AT&T.

Victims apparently include at least one member of the U.S. President Barack Obama’s cabinet, heads of large corporations and other prominent people.

AT&T has since shut down the feature thought to be responsible for the leak.

Cracking the iPad Owner’s Data

The breach was apparently discovered by a group of security advisers that calls itself “Goatse Security.”

Goatse obtained iPad owners’ emails through a script on AT&T’s website that was accessible over the Internet. An iPad owner would provide an ICC-ID — an identification number for the device — in an HTTP request to the site. The site would then return the email address associated with that ICC-ID number.

That gave the hackers the email addresses of iPad owners whose ICC-IDs they had identified.

An ICC-ID is an integrated circuit card identifier. It identifies a subscriber identity module (SIM) card in a mobile telephony device. Owners of these devices can change their devices by removing the SIM card from their existing device and putting it into another.

The ICC-ID includes an issuer identification number, a major industry identifier, a country code, an issuer identifier, and an individual account identification number.

Testing that information lets one know who owns the device and which country the owner is in.

Goatse’s experts managed to guess a large number of ICC-IDs by looking at known iPad 3G ICC-IDs. Some of these were in pictures of the iPad posted by owners on the Internet. The experts then wrote a PHP script to automate the harvesting of data.

Goatse reportedly shared the script with third parties and notified AT&T of the breach, though AT&T has denied it had been notified by the group. Goatse did not respond to requests for comment by press time.

Reaching for the Sky

Some of the iPad’s earliest adopters include high-profile individuals in positions of power who presumably would want their personal email addresses kept private. Victims of the breach include White House Chief of Staff Rahm Emmanuel, as well as staffers in the U.S. Senate and other major government departments, according to a post on the blog Gawker.

Others apparently work for the Defense Advanced Research Projects Agency (DARPA) and other major branches of the United States’ armed services. Other victims include top executives of The New York Times and Dow Jones; high-level staff at Google, Amazon and Microsoft; and staff at financial industry companies like Goldman Sachs and JP Morgan.

There are at least 114,000 victims in the United States alone, Gawker reported.

Could Apple be partly responsible for the breach because it requires iPad owners to provide their email addresses in order to get service?

No, David Harley, director of malware intelligence at ESET, told the E-Commerce Times. “AT&T is hardly a mom-and-pop operation, and it wasn’t unreasonable for Apple to expect professionalism and expertise from the partnership with AT&T.”

Apple did not respond to requests for comment by press time.

AT&T Clamps Down

AT&T has shut off the feature that provided iPad owners’ email addresses in response to HTTP requests.

“We have essentially turned off the feature that provided the email addresses,” AT&T spokesperson Mark Siegel told the E-Commerce Times.

He disputed reports that Goatse had notified AT&T of the breach.

“The person or group who discovered this gap did not contact AT&T,” Siegel said. “AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC-IDs.”

AT&T is still investigating the breach and will inform all customers whose email addresses and ICC-IDs may have been breached.

All Sizzle, No Steak?

The breach is a tempest in a teacup, Carl Howe, director of anywhere research at the Yankee Group, told the E-Commerce Times.

“People can find out your email address. Who knew?” Howe said. “Most people are sending their email addresses to hundreds of people every day and don’t worry about security.”

“Activation and registration that requires an email address is very common in the software industry,” ESET’s Harley pointed out. “Its use in terms of the iPad is entirely consistent with Apple’s security model which is, in many ways, very effective.”

Hackers won’t get much out of the information gleaned from the attack, Howe said.

“You can’t do anything with the iPad serial number, it’s not terribly useful to anyone else other than A&T,” Howe remarked. “The hackers have the serial numbers of iPads and their owners’ email addresses, and that’s all,” he said.

“It’s a design flaw, certainly, but its impact is mostly in terms of bad public relations,” ESET’s Harley said. “It’s mostly AT&T’s bad luck that it was picked up by a group that saw an easy way to get some publicity. It seems to me that the risk has been somewhat overstated.”

The real impact of the hack will be inconvenience for iPad owners, Howe said.

“AT&T were trying to make it easier to buy services by automatically filling in users’ email addresses when they ordered, say, an iPad app,” Howe explained. “Now you’ll have to type in your email address when you order something for the iPad on AT&T’s website.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Cybercrime

E-Commerce Times Channels

Attacks on Cloud Service Providers Down 25% During First 4 Months of 2022

New research from Atlas VPN shows that cloud-native exploits on major cloud service providers (CSPs) declined during the first four months of 2022.

Cloud-native exploits dropped by 25%, from 71 exploits in the first four months of 2021 to 53 exploits in the first four months of this year, Atlas researcher Ruta Cizinauskaite told the E-Commerce Times.

Although those numbers may seem small, they are significant, maintained Paolo Passeri, a cyber intelligence principal at Netskope, a Security Service Edge provider in Santa Clara, Calif., and author of the Hackmageddon blog, from where Atlas obtained the data for its report.

“This is only the so-called tip of the iceberg, that is, campaigns that have been unearthed and disclosed by security researchers,” he told the E-Commerce Times.

One of the most targeted CSPs during the period was Amazon Web Services (AWS), Cizinauskaite wrote in the report released June 8. “[AWS] suffered the most cloud-native exploits among cloud service providers as of April 2022,” she reported. “In total, it experienced 10 cloud-native exploits accounting for nearly a fifth (18.9%) of all such events in the first four months of this year.”

She explained that cloud-native threats refer to cyber events that exploit the cloud in one or more stages of the “kill chain,” a cybersecurity model that identifies the typical steps taken by hackers during a cyberattack.

Tool for Mischief

For hackers, Amazon — which, with a third of the CSP market, is top dog — is a robust battleground where an attacker can never run out of targets, Alon Gal, co-founder and CTO of Hudson Rock, a threat intelligence company in Tel Aviv, Israel, told the E-Commerce Times.

AWS is also a flexible tool that can be used for multiple purposes, Passeri added. For example, AWS can be used to host a malicious payload delivered during an attack, as a command-and-control center for malware or to provide the infrastructure to exfiltrate data, he explained.

“As trust in cloud service providers has increased, so has the attraction for cybercriminals that target selected external services with sophisticated yet expected techniques,” Gal observed.

“Once a playbook for a technique is developed,” he continued, “it usually results in a quick win for them across multiple companies.”

Tempting Targets

David Vincent, vice president of product strategies at Appsian Security, an ERP security application provider in Dallas, explained that more and more organizations are moving their critical business systems into the cloud for obvious advantages.

“As long as these business systems contain valuable targets such as data and personally identifiable information or enable financial transactions, like payments, that criminals want access to, these cloud solutions will continue to be targeted by malicious actors,” he told the E-Commerce Times.

With 60% of corporate data stored in the cloud, CSPs have become a target for hackers, Passeri added.

“Besides,” he continued, “a compromised cloud account can provide the attackers multiple tools to make their attacks more evasive.” For example, they can provide a platform to host malicious content, such as AWS, OneDrive or Google Drive. They can also provide an embedded email service, such as Exchange or Gmail, to deliver malicious content that evades web security gateways.

Fishers of Bytes

The report noted that trailing behind AWS in the targeted department were five services each with five exploits: Microsoft OneDrive, Discord, Dropbox, Google Drive, and GitHub.

Other services had a thinner slice of the exploit pie: Pastebin (5.7%); Microsoft 365 and Azure (3.8%); and Adobe Creative Cloud, Blogger, Google Docs, Google Firebase, Google Forms, MediaFire, and Microsoft Teams (1.9%).


A majority of the exploits (64.8%), the report found, were aimed at delivering a malware strain or a phishing page.

Other exploits used the CSPs to set up a command and control infrastructure for malignant activities elsewhere (18.5%) and for stealing data or launching other attacks (16.7%).

“Successful hackers are like fishermen, they have different lures in the tackle box to attack a victim’s weakness, and they often must change the lure or use multiple lures because the victims become informed and won’t bite,” Vincent explained.

Exploiting CSP Infrastructure

Passeri explained that malware delivered to CSPs is not designed to compromise their systems but to use their infrastructure since it is considered trusted by the victims and organizations that use it.

In addition, he continued, the CSPs offer a flexible platform that is resilient and simplifies hosting. For example, there is no need to allocate an IP space and register a domain.

Advantages to hackers using a CSP’s infrastructure cited by Passeri include:

  • It is considered trusted by the victim because they see a legitimate domain and in the case of a phishing page, a webpage hosted on a cloud service with a legitimate certificate.
  • In some cases it is considered trusted by organizations because too many of them consider the CSP infrastructure trusted, so they end up whitelisting the corresponding traffic, meaning that the security controls normally enforced on the traditional web traffic are not applied.
  • It is resilient because if the malicious content is taken down, the attackers can spin up a new instance instantaneously.
  • Traditional web security technologies are blind to the context, that is, they do not recognize if, for example, a connection to AWS is heading to a legitimate corporate instance, or to a rogue instance controlled by the attackers.


One form of malware distributed through CSPs is information-stealing software. “Info-stealers are a quick win for hackers, as they are able to capture all the sensitive data from a compromised computer in a matter of seconds while leaving almost no traces behind,” Gal said.

“They can then use data like corporate credentials and cookies that were captured by the stealer to cause significant data breaches and ransomware attacks,” he added.

While hackers are willing to use CSP infrastructure for nefarious ends, they’re less inclined to attack that infrastructure itself. “Most exploits from CSPs are a result of misconfigured public internet-facing resources, like AWS S3 buckets,” explained Carmit Yadin, CEO and founder of DeviceTotal, a risk management company in Tel Aviv, Israel.

“Malicious actors target these misconfigurations rather than looking for a vulnerability in the CSP’s infrastructure,” he told the E-Commerce Times. “CSPs often maintain a more secure infrastructure than their customers can manage alone.”

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Enterprise Security

Hackers Cast LinkedIn as Most-Popular Phishing Spot

LinkedIn users are being steadily more targeted by phishing campaigns.

In recent weeks network audits revealed that the social media platform for professionals was in the crosshairs of 52 percent of all phishing scams globally in the first quarter of 2022.

This is the first time that hackers leveraged LinkedIn more often than any tech giant brand name like Apple, Google, and Microsoft, according to various reports.

Social media networks now overtake shipping, retail, and technology as the category most likely to be targeted by criminal groups, noted network security firm Check Point.

The phishing attacks reflect a 44 percent uplift from the previous quarter, when LinkedIn was in fifth place with only eight percent of phishing attempts. Now LinkedIn has surpassed DHL as the most targeted brand.

The second most targeted category is now shipping. DHL now holds second place with 14 percent of all phishing attempts during the quarter.

Checkpoint’s latest security report shows a trend toward threat actors leveraging social networks as a prime target. Hackers contact LinkedIn users via an official-looking email in an attempt to bait them to click on a malicious link.

Once lured, users face a login screen to a fake portal where hackers harvest their credentials. The fake website often contains a form intended to steal users’ credentials, payment details, or other personal information.

“The goal of these phishing attacks is to get victims to click on a malicious link. LinkedIn emails, like another commonly targeted sender, shipping providers, are ideal because the email shares only summary information, and the user is compelled to click through to the on-platform detail and content,” Archie Agarwal, founder and CEO at ThreatModeler, told the E-Commerce Times.

Ideal Pickings

Hackers target LinkedIn users for two key reasons, according to Agarwal. Phishing is a digital play on the confidence game built on trust. Exploiting victims’ trust in their LinkedIn network is a natural alternative to phishing on corporate sites.

“The other advantage to targeting LinkedIn users is that targets are easy to identify and prioritize. Users’ profiles publish their title and affiliations,” he said.

It makes sense for attackers to use LinkedIn as a hook for socially engineered phishing attacks, added Hank Schless, senior manager, for security solutions firm Lookout, as it is generally accepted as a usable professional platform.

“However, it is not that different from any other social platform where an attacker can create a fake but convincing profile and message one of your employees with a malicious link or attachment,” he told the E-Commerce Times.


Rather than clicking on the email, LinkedIn users should instead go directly to the platform that supposedly notified them and look for that notification detail there, suggested Agarwal.

“Platforms like LinkedIn and DHL have an incentive to notify users through email and text but link the user back to the platform to raise visits/usage. This incentive will always stand at odds with protecting against phishing opportunities,” he said.

Phishing that appears to come from legitimate services cannot be stopped. At the same time, current defenses are not tuned to find these types of attacks, noted Patrick Harr, CEO of anti-phishing firm SlashNext.

“These attacks are rising, and the gateway to ransomware is phishing. As phishing continues to grow as a vector for ransomware attacks, zero-hour, real-time threat prevention solutions are critical to stopping these threats,” he told the E-Commerce Times.

The ability to block employee web traffic to phishing sites, via malicious links and other vectors, and stop a ransomware attack at the start of the kill chain, is paramount, he added.

Trust Factors In

The use of LinkedIn blurs the boundary between work purposes and personal career development. For individuals, such as sales and marketing professionals, or recruiters who are using LinkedIn for work purposes, employers should remind them that trust is not transitive.

Recognize that second-level connections are basically unknown individuals. All information on LinkedIn, no matter how professional it looks, can be entirely fake, observed Oliver Tavakoli, CTO at security firm Vectra AI.

“To avoid falling for LinkedIn scams, simply imagine the same message arriving via email in your work inbox. Apply the same training that you have received for identifying phishing scams. Only accept connections from people you have met or ones who have been formally introduced to you,” he told the E-Commerce Times.

LinkedIn should undertake efforts to find and delete fake profiles. It should also make it far easier for organizations to flag incorrect claims in fake profiles — for example, having worked at a particular organization — to quickly correct such inaccuracies, Tavakoli added.

“On the end-user front, there is no real substitute for education — teaching skepticism and not falling for the transitive effect of trust,” he advised.

Think About It

Considering that 92 percent of LinkedIn users’ data was exposed in the 2021 breach, it comes as no surprise cybercriminals have increased attacks leveraging LinkedIn data, prompted Harr. “However, based on our data, we are not seeing that LinkedIn has become the most imitated brand. This title belongs to Microsoft.”

With LinkedIn moving up the list of platforms used in phishing-related attacks, organizations should update their acceptable use policies (AUPs) to protect employees and mitigate the risk of web-based attacks, Schless recommended. Cloud-based web proxies such as secure web gateways (SWG) that are fed by rich threat intelligence datasets can help organizations build dynamic AUPs and protect enterprise data.

This enables admins to control which websites their employees and guest users can access with the purpose of blocking internet-borne malware, viruses, and phishing sites.

SWG is a critical solution to have in the modern enterprise security arsenal. It provides a way to block accidental access to malicious sites and can also be a safe tunnel to protect users from modern web-based threats such as ransomware, other malware, and phishing attacks, he explained.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Cybercrime