AT&T has patched the hole, however, not before Goatse Security shared the flaw with a number of third parties. In other words, there's no telling whose hands the exploit fell into, nor what they might have done with the information. What's worse, the 114,067 compromised addresses only accounts for the data collected by Goatse, so it's likely many more have been exposed.
AT&T has commented on the matter, saying that a business customer (not Goatse Security) reported the hole on Monday and was resolved on Tuesday. The carrier said it's investigating the situation and will inform anyone who may have been affected.