screenshot from AT&T e-mail

On Sunday evening, AT&T sent an e-mail message to owners of the Apple 3G iPad notifying them of a security breach that was publicized early last week.

The message, sent by Dorothy Attwood, a senior vice president and chief privacy officer at AT&T, explained that a number of iPad 3G owners’ e-mail addresses, along with a private identification number known as an ICC-ID, were made public through a breach in AT&T’s Web site. The company also apologized for the security error.

AT&T laid blame on a security group that first discovered the weakness on the company’s Web site. Ms. Attwood wrote that “unauthorized computer ‘hackers’ maliciously exploited a function designed to make your iPad log-in process faster.”

The group, known as Goatse Security, discovered the hole early last week before notifying the gossip Web site Gawker.com. The breach made more than 114,000 e-mail addresses visible.

Ms. Attwood refers to the group in the e-mail as “self-described hackers” and writes that the group “deliberately went to great efforts” to gain access to customers’ private information.

On Thursday, the Federal Bureau of Investigation said it was investigating the security breach, calling it a “potential cyberthreat.”

Ms. Attwood also accused the group of putting “together a list of these e-mails and distributed it for their own publicity.”

In a recent blog post on Goatse Security’s Web site, a member of the group defended its actions, stating that “all data was gathered from a public webserver with no password, accessible by anyone on the Internet.” The groups’ members also noted that their efforts were meant to protect the public and said the only person to receive the e-mail addresses and ICC-ID numbers was “Gawker journalist Ryan Tate who responsibly redacted” any visible personal information.

Members of the group used the UCC-ID that is on each iPad 3G and pinged the AT&T login page with it. That page returned an e-mail address associated with that iPad 3G. They then wrote a simple script to ping the page with a series of numbers repeatedly until they had 114,000 e-mail addresses.

The full e-mail from AT&T regarding the security breach is below: