AT&T servers had been hacked
A group of hackers found a security flaw on the web servers of AT&T and after obtaining users’ 3G iPad SIM addresses (also known as ICC ID) from the web made an automated script attack to receive their email addresses.
According to Gawker report, now hacked users may "be vulnerable to spam marketing and malicious hacking". SIM addresses are easy enough to obtain, because many people have already posted their ICC ID numbers in photos published on Flickr for instance. But most of them have their e-mails published too, so it is likely that they have already received such spam.
It is reported that at least 114,000 email addresses had been received by the hackers before security leak was patched.
It is unknown, whether the information about ICC ID numbers can be used "to spoof a device on the network or even intercept traffic", but Emmanuel Gadaix, who is a mobile security consultant, said there were vulnerabilities found in GSM crypto, but they are not related to the case:
"...As far as I know, there are no vulnerability or exploit methods involving the ICC ID".
University of Virginia computer science PhD and white hat GSM hacker Karsten Nohl supported this thought:
"...While text-message and voice security in mobile phone is weak, ..., data connections are typically well encrypted.
...The disclosure of the ICC ID has no direct security consequences".
Gawker thinks such situation is "another embarrassment" for Apple and Karsten Nohl describes AT&T's attitude to confident data is grossly incompetent.
Official reaction of AT&T:
"This issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses... may have been obtained."