FBI Investigating iPad Breach (Update)
The FBI has confirmed it is investigating how private information about iPad users was compromised via an insecure AT&T Web server, as Gawker first reported yesterday. The FBI also contacted Gawker Media today.
The federal law-enforcement agency told the Wall Street Journal it is "very early" in an investigation into "these possible computer intrusions," in which a group of security researchers harvested iPad customer email addresses and network IDs and exposed a hole in AT&T's network.
We can confirm that Gawker Media was contacted by the FBI earlier today and issued a formal preservation notice.
We've reached out to the security group that first discovered the vulnerability, Goatse Security, and have asked for a statement. We're waiting to hear back.
Update: In a lengthy blog post, a member of Goatse Security states that "there was no illegal activity or unauthorized access" involved. The group says that while it did not directly contact AT&T, it "made sure that someone else tipped them off." Goatse also says that the security hole was closed before the vulnerability was publicized; that the private user information it gathered—a copy of which was provided to us—was later destroyed; and that the group was not paid or otherwise compensated by Gawker, which is correct.
An excerpt:
This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don't. If you're potentially on a list of exploit targets because someone has an iPad Safari vulnerability and they scraped you in a gigantic list of emails it is best that you are informed of that sooner than later (after you've been successfully exploited)....
All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word...
Your iPads are safer now because of us.