AT&T hit by another data breach

AT&T customers logging into their accounts to pre-order the Apple iPhone 4 reported that they were given access to the account information of other customers.

Despite entering their own usernames and passwords, the AT&T system would take them to another user's account, according to gadget blog Gizmodo, which broke the news.

Some users said when they refreshed the web page, the site returned the correct account information.

AT&T said told Gizmodo that it could not replicate the problem but noted that reports of the problem indicated some data, such as social security numbers and credit card numbers, was not disclosed.

The incident comes just days after AT&T apologised for a leak that disclosed e-mail address for more than 100,000 iPad customers, including top business executives, and government and military officials.

But the company blamed the incident on the Goatse Security researchers who uncovered a flaw in AT&T's website.

The email addresses were disclosed after the researchers discovered that entering a serial number for an iPad SIM card into an application on AT&T's website would reveal the owner's email address.

They wrote a script that would randomly generate serial numbers and submit them to the website, collecting the email addresses that it returned.

AT&T has said it plans to prosecute Goatse Security, but the group insists it did not break the law and that it acted in the public interest.

The FBI has confirmed that it is investigating the incident to find how private information about iPad users was compromised and whether the actions of the Goatse researchers constitute a crime.

This story was first published by Computer Weekly

What’s Hot on Infosecurity Magazine?