I’m noticing some confusion about who is responsible for the iPad e-mail address leak in various news articles that are writing about the incident.

  • AT&T is responsible and their servers leaked the information
  • As per the article from the BBC, only iPads using the AT&T service is affected. (This is not a world wide issue)

The vulnerability only involved iPad users who had signed up for AT&T’s 3G wireless service, and users of the iPad outside the US are believed to be unaffected. The breach involved a feature of AT&T’s website, which would prompt users when they tried to log in to their AT&T accounts through their iPad.

On digg.com, a related article is titled ‘Apples Worst Security Breach: 114,000 iPad Owners Exposed’, with a Warning: The content in this article may be inaccurate. Surprisingly, Gawker is still running with the same title and hasn’t changed it yet (as of June 10 2010 15:00PM EST). As a side note, Gawker owns Gizmodo, who was responsible for the leak on the new iPhone.

The only data that was ‘exposed’ was a large quantity of e-mail addresses of notable politicians, celebrities and military personal, and nothing else. (Passwords, credit card numbers, social security info etc. was NOT EXPOSED)

It’s little stories like these that chip away at the perception that a company is not secure. This happened to Microsoft. I’m defending Apple in this case, because I believe in giving credit where credit is due, and in this case, it’s an AT&T technical problem not an Apple technical problem. Unfortunately the perception that has been created is that it’s an Apple security problem.

Sure, it could potentially expose people to social engineering/phishing attacks, but these people’s addresses are already out there in log files on many mail servers on the Internet, not to mention everytime someone forwards a message an address is going to be ‘exposed’.

Keep calm and carry on.