From the guys who discovered the issue:
AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability.
Even in this disclosure, which I feel they would not have made if we hadn’t publicized this vulnerability, AT&T is being dishonest about the potential for harm.
I’m pretty sure I was impacted by this list the first time around, and it’s clear that AT&T doesn’t have a clue what they’re doing when it comes to the web, especially when it concerns security.