The data was obtained by research organization Goatse Security, which exploited a flaw on the AT&T site that spit out email addresses when provided with ICC-IDs, unique SIM card codes that are meant to identify subscribers and their devices.
"Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet," said Gawker, a news and gossip blog, which first reported the story. "When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a web application."
Goatse researchers, who could not be reached for comment Thursday by SCMagazineUS.com, reportedly used "brute force" techniques to obtain the email addresses.
Some of the email addresses belong to well-known early iPad adopters, including New York Mayor Michael Bloomberg and White House Chief of Staff Rahm Emanuel.
The flaw has since been closed. Experts blamed the exposure on a weak web infrastructure.
"When you use any Web 2.0 technology, you need to build security into the server of the application," Lars Ewe, CTO of security firm Cenzic, told SCMagazineUS.com. "Ultimately, any request that comes to your server needs to be assumed as malicious."
AT&T, in a statement emailed to SCMagazineUS.com, said it regretted the incident.
"This issue was escalated to the highest levels of the company and was corrected by Tuesday, and we have essentially turned off the feature that provided the email addresses," the company said. "The person or group who discovered this gap did not contact AT&T. We are continuing to investigate and will inform all customers whose email addresses and ICC-IDs may have been obtained. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.”
The FBI also is investigating, the Wall Street Journal reported Thursday afternoon.