US carrier AT&T has apologised for the breach of the e-mail addresses of over 100,000 3G iPad users in the US, but has not accepted responsibility for the incident.
But the carrier blamed the incident on the security researchers from a group known as Goatse Security. AT&T said they uncovered the flaw in AT&T's website that made the breach possible, according to US reports.
"Unauthorised computer hackers maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the e-mail address you used to register your iPad for 3G service," the company said in an e-mail signed by Dorothy Attwood, AT&T's chief privacy officer.
According to Dorothy Attwood, the self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad - called the integrated circuit card identification (ICC-ID) - and repeatedly queried an AT&T web address.
When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the e-mail address associated with the ICC-ID already populated on the log-in screen, she said.
"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses. They then put together a list of these e-mails and distributed it for their own publicity," said Attwood.
As soon as AT&T became aware of the situation, the company disabled the mechanism to prevent any further unauthorised exposure of customer e-mail addresses, she said.
The US Federal Bureau of Investigation (FBI) announced on Thursday it had launched an investigation after learning that US government and military officials were among those whose e-mail addresses were exposed.
The FBI is investigating how private information about iPad users was compromised and whether the actions of the researchers constitute a crime.
But Goatse Security maintains there was no illegal activity or unauthorised access involved.
The group said in a blog post that the security vulnerability was fixed before it was publicised, all the private user information gathered was destroyed, and no remuneration was received.
"This disclosure needed to be made. iPad 3G users had the right to know that their e-mail addresses were potentially public knowledge so they could take steps to mitigate the issue. This was done in service of the American public," the group said.