AT&T exposed the email addresses of more than 114,000 iPad 3G customers through a web application that returned subscriber data when queried with valid ICC-ID values and an iPad-style user agent. Goatse Security used a script to enumerate identifiers and harvest addresses tied to high-profile victims, including corporate executives, media figures, government officials, and military personnel. Gawker publicized the incident after receiving sample data, while AT&T acknowledged the flaw, fixed it, apologized to customers, and said it would notify affected users; reporting at the time said the FBI opened an investigation.
The disclosure quickly escalated into a criminal case against Goatse Security members Andrew "weev" Auernheimer and Daniel Spitler, with prosecutors alleging unauthorized access under the Computer Fraud and Abuse Act and related identity-fraud charges. Auernheimer was later convicted and sentenced to 41 months in prison, though his case became a flashpoint in the security community over whether enumerating an openly accessible API constituted hacking or controversial vulnerability disclosure; later coverage noted his release after appellate proceedings without resolving the broader legal debate over security research and unauthorized access.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
10 events from the most recent confirmed update back to the earliest known activity.
A federal appeals court vacated Auernheimer's conviction, leading to his release from prison. The ruling turned on improper venue rather than resolving broader questions about whether the conduct constituted unauthorized access.
Andrew Auernheimer was sentenced to 41 months in prison, followed by three years of supervised release, for his role in the AT&T iPad case. The court also ordered restitution to AT&T, with co-defendant Daniel Spitler also held financially responsible.
A federal jury convicted Andrew Auernheimer on identity fraud and conspiracy to access a computer without authorization for his role in obtaining and disclosing AT&T iPad users' email addresses. The verdict intensified debate over vulnerability disclosure and the scope of the CFAA.
On January 18, 2011, U.S. authorities filed charges against Andrew Auernheimer and Daniel Spitler in connection with the AT&T iPad email exposure. The case alleged unauthorized access under the Computer Fraud and Abuse Act and related offenses.
Andrew 'weev' Auernheimer, identified as a Goatse Security member tied to the incident, was arrested in Arkansas during execution of an FBI search warrant. Authorities also reported drug possession charges stemming from the search, though the exact connection to the iPad case was initially unclear.
AT&T issued an apology to customers affected by the iPad 3G email-address exposure as fallout from the breach continued. The apology followed the company's acknowledgment of the flaw and remediation efforts.
Federal authorities began investigating the AT&T iPad email exposure following public disclosure of the incident. Multiple reports specifically state that the FBI was investigating Goatse Security's role in the breach.
After the exposure became public, AT&T acknowledged the security flaw, closed the vulnerable application, and said it was investigating the incident. The company later said it would notify affected customers.
Gawker/Valleywag published excerpts from the leaked list under the 'iLeak' label, bringing public attention to the exposure of more than 114,000 AT&T iPad customer email addresses. Reporting said AT&T had been notified before publication.
Goatse Security discovered that AT&T's iPad 3G web application returned customer email addresses when queried with ICC-ID or related device identifiers, and used a script to enumerate more than 114,000 addresses. The exposed data included high-profile executives, media figures, government officials, and military personnel.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
16 references tracked. Mallory keeps watching after this page renders.
theguardian.com
Open sourceforbes.com
Open sourcearstechnica.com
Open sourceweb.archive.org
Open sourcewashingtonpost.com
Open sourcenpr.org
Open sourcetheregister.co.uk
Open sourceweb.archive.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.