Apple iPhone 4 Pre-Order Is a Security-Breached Nightmare: AT&T to Blame? [Updated]

Apple’s shiny new iPhone 4 is available for pre-order today, and the crush of customers seems to have thoroughly knocked AT&T for a loop. Customers are reporting insane lines, glitchy procedures, and serious security breaches.

ATandT store line


Apple‘s iPhone 4 (check out our hands-on here) is available for pre-order today. Not purchase, just pre-order, which makes it even crazier that customers have come out in such force that AT&T customer service agents are probably crying themselves to sleep tonight. They should try to sleep–they’ve got a long day ahead of them tomorrow, given the major security breach that occurred today.

It appears that AT&T was unable to deal with the large number of orders, and since all orders (even from Apple’s official site) were routed through AT&T, when AT&T went down, everyone went down with it. And AT&T went down hard. There are reports of waits of 20 minutes per customer (for a procedure that should take no more than a minute or two), and sometimes as long as a few hours. AT&T’s site eventually crashed so hard that stores were forced to drastic measures.

Some AT&T stores moved to primitive 20th-century methods like imprinting credit cards with ink and paper. One store in Plainfield, IL simply closed down for the day, unable to take any orders. [Update: My source at AT&T says this is not true.]

Even worse, when orders did eventually go through, many returned errors. Some were charged the full, unsubsidized price ($700), or were billed two or three separate times due to AT&T employees mashing the “submit” button, hoping one would get through.

The worst problem has to be the security breach some customers found. As reported by Gizmodo, some customers, upon logging into AT&T’s site to order an upgrade, were actually taken to an entirely different user’s page, already logged in. That gives access to a stranger’s private billing and calling information. Apparently the breach is due, ironically, to a security update that went out over the weekend. AT&T didn’t test the update, and it seems to have backfired.

It’s a pretty egregious error. AT&T has yet to respond to my requests for comment, but this is a much more serious breach than, say, the iPad email address leak. I’ll update more as we hear more about this situation.


Update: I’ve just spoken to an AT&T rep, who gave me the following statements. I’ve truncated the first one, which has a lot of self-congratulations on the iPhone 4’s tremendous pre-sales.

iPhone 4 pre-order sales yesterday were 10-times higher than the first day of pre-ordering for the iPhone 3G S last year. […]

Given this unprecedented demand and our current expectations for our iPhone 4 inventory levels when the device is available June 24, we’re suspending pre-ordering today in order to fulfill the orders we’ve already received.

The availability of additional inventory will determine if we can resume taking pre-orders.

In addition to unprecedented pre-order sales, yesterday there were more than 13 million visits to AT&T’s website where customers can check to see if they are eligible to upgrade to a new phone; that number is about 3-times higher than the previous record for eligibility upgrade checks in one day.

Reading between the lines, that “unprecendented” web traffic may have been the culprit for the slowdown. That kind of traffic can knock a site down, which would be consistent with some of the behavior we saw yesterday.

As far as the security breach goes, AT&T offered a terse statement:


We have received reports of customers inadvertently seeing the wrong account information during the iPhone 4 purchasing process. We have been unable to replicate the issue, but the information displayed did not include call-detail records, social security numbers, or credit card information.


In the meantime, we are looking into this matter.

What exactly was shown in the login mixup is unclear. We have a few screenshots as evidence which show name, address, and plan details (how many minutes, that kind of thing). There’s a link at the top to “Manage my account” which might have lead to other information, including billing and calling information as reported, but we have no evidence to show that that link behaved in that manner. For all we know, it signed the user out, or sent the user to his actual profile, or purchased season one of The West Wing on DVD from Amazon–AT&T’s site was acting weird, and that link may or may not have done what it was intended to do.



Dan Nosowitz, the author of this post, can be followed on Twitter, corresponded with via email, and stalked in San Francisco (no link for that one–you’ll have to do the legwork yourself).

About the author

Dan Nosowitz is a freelance writer and editor who has written for Popular Science, The Awl, Gizmodo, Fast Company, BuzzFeed, and elsewhere. He holds an undergraduate degree from McGill University and currently lives in Brooklyn, because he has a beard and glasses and that's the law