The agency said Thursday it is looking into "the potential cyber threat" from the breach.
AT&T said it has no comment. It acknowledged Wednesday that it had exposed the e-mail addresses through a Web site, and had closed the breach.
The vulnerability only affected iPad users who signed up for AT&T's "3G" wireless Internet service.
An AT&T Web site could be tricked into revealing an iPad owner's e-mail address when supplied with a code associated with their particular iPad. A hacker group that calls itself Goatse Security said it got the site to cough up more than 114,000 e-mail addresses by guessing which codes would be valid.
The group said it contacted AT&T and waited until the vulnerability was fixed before going public with the information. AT&T said the problem was fixed Tuesday but that it was alerted to it by a business customer.
Apple Inc., the maker of the iPad, has not commented on the breach, referring all questions to AT&T.
AT&T has apologized and said it will notify all iPad users whose e-mail addresses may have been accessed. It noted that the only information hackers would have been able to steal using the attack were users' e-mail addresses. But that can be enough to launch an effective attack, since the attacker also knows that the person receiving the e-mail is an iPad user and an AT&T customer and would expect to receive e-mail from Apple and AT&T about their accounts.
Criminals could use that knowledge to trick them into opening e-mails that plant malicious software on their computers.
New York Mayor Michael Bloomberg's e-mail address was among those exposed, but the billionaire media mogul shrugged it off Thursday and said he didn't understand the fuss.
"It shouldn't be pretty hard to figure out my e-mail address," Bloomberg said, "and if you send me an e-mail and I don't want to read it, I don't open it. To me it wasn't that big of a deal."