While there’s no specific security risk associated with the pairing of ICC-ID and the email address of a subscriber — other than the likelihood of spam or the possibility of phishing — it’s still a bad, bad thing to be giving away customer data out the front door. How many pairs of IDs and emails did the gang at Goatse Security (yes, that’s their name) manage to collect before AT&T became aware of their activities? About 114 thousand….
AT&T website scraped to reveal iPad 3G owners’ email addresses
Unfortunately for AT&T’s security infrastructure — and equally unfortunately for customers who bought and activated iPad 3G units on the company’s network — a freelance security research team has reportedly scraped two key tidbits of information from thousands of iPad registrations. As Gawker reports, the hackers exploited a script on AT&T’s site by feeding it ICC-IDs (the GSM SIM card’s identifier code) harvested from iPad user screenshots and interpolated to cover a wider range. The AT&T site obligingly gave back the email address associated with each of the ICC-IDs.