Anonymous, a well-known hacker group, is claiming to have broken into an Apple server and obtained usernames and passwords. The server in question appears to be the abs.apple.com server, which Apple utilizes for online surveys. Anonymous issued a tweet from its Twitter account on Sunday claiming Apple could be a potential target.

“Not being so serious, but well … Apple could be target, too. But don’t worry, we are busy elsewhere,…”

The usernames and passwords of 27 individuals were then published to the text-sharing site Pastebin. As of Monday, that specific server displayed an error message. Apple declined to comment when asked.

For those of you not familiar with the hacker group Anonymous, they are well-known for attacking sites and companies that they consider opponents of the popular site WikiLeaks. It’s also said that the hacker/WikiLeak group LulzSec emerged from Anonymous as well. These groups have hit Sony Corporation, the Central Intelligence Agency, and many others simply for their own enjoyment (or maybe to make a point?).

I don’t see groups like these setting their eyes on Apple when it comes to a seriously malicious attack but who knows? They don’t seem to put all their efforts into exploiting any one particular company but any data breach is a concern. Hopefully Apple is looking into this.

[Reuters]

Hackers found a way in to AT&T’s iPad 3G registry and, using a brute-force attack based on unique ICC-ID numbers, managed to pull down corresponding email addresses for those users — who include members of the US military, executive branch, and media companies.

AT&T has since closed the vulnerability and issued the following statement:

“AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.

This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.

The person or group who discovered this gap did not contact AT&T.

We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.

We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.”

So once again it’s the convenience of the cloud vs. the security of customer information. Increasingly we’re trusting online accounts and services with our personal and financial information, and high-profile incidents like this, if nothing else, force everyone to re-examine what we trust and with whom.

How serious is this loss of data to you? Does it make you hesitant to signup online or on-device?

[Gawker, who curiously call it an Apple security breach in the headline.]

Remember that phishing scam that targeted MobileMe users a while back? The one that may have nabbed hundreds of account holders’ information? Well Apple must, because the latest in their series of MobileMe Updates addresses the issue head on:

You will never receive a message from MobileMe asking you to send personal information over email. If we are ever unable to charge your credit card, for instance, we will send you a reminder email, but will not directly link to any web pages. The safest way to respond and update any necessary information is to type www.me.com into your browser and log in to your account directly. That way you can be confident you are at me.com and your personal information is secure.

Apple further provides a support document on how to better determine the actual destination hidden behind a link, and an email address — reportphishing@apple.com — where users can forward any questionable content for investigation by Apple legal and law enforcement.

Together, MobileMe users can help take a byte out of Apple-targeted crime!

Remember that warning we posted on Tuesday about a MobileMe phishing attack in the wild? Turns out it’s been terrifyingly effective so far. Ars Technica quotes CardCops president Dan Celements:

“We found 20 different files parked on the server, each file with two or three or four, up to 20, profiles. Cumulatively, there were about 300 profiles collected in that one day. And 100 to 200 were mac.com addresses.”

NOT GOOD. Ars goes on to rightly point out that Apple customers are typically higher-income, and thus more desirable targets. We’d also add that Apple users are not as accustomed to malware and phishing as our Windows-using friends, but as email and web browsing doesn’t care about platform, we REALLY need to be. Just like you wouldn’t open a package left at your door that smelled like gasoline and was ticking, even if it came in a Tiffany’s box, don’t open links or give out credit card information just because it fakes coming from Apple.

REMEMBER: Don’t EVER believe email requests for secure data. Go to the site yourself (not through their link — type it in) and log in and see if there really is a problem. Check domain names carefully. App1e.com isn’t the same as Apple.com, they’re just hoping you don’t notice. Worried about the recent DNS poisoning attacks? Use HTTPS/SSL or use a direct IP address. If in any doubt, pick up a phone and call Apple (or your credit card company) directly.

Phishing attacks, where a bad guy tries to fool you into giving them personal information such as financial account logins, are nothing new on the ‘net. Fake emails leading you to a fake bank site to enter your information so that they (increasingly organized crime, often in Russia or China) can log into your real site and transfer out all your money, then steal your identity and sell it off to second and third tier hackers for other nefarious uses.

This specific attack pretends to come from Apple regarding a MobileMe billing problem, and asks the user to click a link to update their credit card information (which will be promptly stolen). What makes this recent attack particularly dangerous is that MobileMe HAS had billing problems in the recent past, and what with all the other problems associated with the launch, users may be unfortunately prone to believe the phishing attack.

REMEMBER: Don’t EVER believe email requests for secure data. Go to the site yourself (not through their link — type it in) and log in and see if there really is a problem. Check domain names carefully. App1e.com isn’t the same as Apple.com, they’re just hoping you don’t notice. Worried about the recent DNS poisoning attacks? Use HTTPS/SSL or use a direct IP address. If in any doubt, pick up a phone and call Apple (or your credit card company) directly.

Yes, the bad guys are bombing the internet back to the stone age. It’s not a safe browsing world. Be careful and protect your data with the same care you protect real-world valuables.

(via Ars Technica)