AT&T discloses another massive data breach containing phone records of "nearly all" its customers

Cal Jeffrey

Cal Jeffrey

Posts: 4,246   +1,458
Staff member
In a nutshell: Hackers stole more than 100 million AT&T customers' phone records from 2022. The information from a six-month period contained metadata, including phone numbers, call and text counts, durations, and, in some cases, tower ID numbers. However, the contents of text messages and calls were not accessed.

On Friday, AT&T disclosed a massive data breach that exposed the phone records of nearly all of its 110 million customers. TechCrunch notes that although the company discovered the intrusion on April 19, the records accessed were from May 1, 2022, and October 31, 2022. Additional data from January 2, 2023, was also compromised. The data cache contained phone numbers and records of calls and text messages from cellular and landline users.

The wireless provider said the breach did not include the content of calls or texts but did reveal metadata, including who contacted whom, the total count of calls and texts, and call durations. Some records also contained cell site identification numbers, which bad actors could potentially use to approximate the location of calls and texts.

The breach also affected customers of other carriers using AT&T's network, broadening its impact significantly. The company said it would notify its customers affected by the breach but didn't mention actions regarding the other affected providers.

Interestingly, this intrusion is connected to the recent Snowflake breach. Snowflake is a cloud data provider whose customers, including AT&T, Ticketmaster, and QuoteWizard, suffered from unauthorized access to data stored on the company's cloud servers. Researchers determined the root cause was a lack of enforced multi-factor authentication (MFA) on Snowflake accounts, leaving them vulnerable to attack.

Cybersecurity firm Mandiant, assisting Snowflake, reported that hackers stole a significant volume of data from approximately 165 customers. They attributed the breach to a cybercriminal group known as UNC5537, with members from North America and Turkey.

In response to the breach, AT&T has been working closely with law enforcement to track down the cybercriminals involved. The company confirmed that at least one person was apprehended, noting that it was not an AT&T employee. As mentioned, the attack occurred in April, but the FBI and the Department of Justice asked AT&T to delay public notification twice due to potential national security and public safety risks. The FCC tweeted that it was also involved and conducting an investigation.

This breach marks AT&T's second major security incident this year. Earlier, the company had to reset account passcodes after encrypted customer data appeared on a cybercrime forum. The ease with which bad actors could decrypt these passcodes prompted the carrier to take swift protective action, but only after denying the breach for two weeks.

Those concerned can find more information regarding the incident on AT&T's dedicated website. The company says it continues to work diligently to prevent further unauthorized actions.

Image credit: Mike Mozart

Permalink to story:

AT&T discloses another massive data breach containing phone records of "nearly all" its customers

 
5 eyes probably get this info anyway . American agencies are not allowed to spy on it's citizens. but us Aussies and Kiwis are.

Though specific individuals could use this info. It's a goldmine for spy agencies, advertisers, Meta and google to build their profiles

Good thing The USA broke up the telecom monopoly eh! could have got everyone

I found it weird when I arrived in the USA to travel in 1988. Ma Bell this Pacific Bell that.
Flew into Miami, it could be more expensive to call Ft Lauderdale than L.A,

Locals were selling tourists stolen access numbers to make phone calls. Thing the numbers were made up of the phone number to charge it to and the pin
 
scavengerspc said:
Serious question. Can someone explain how something like this can go 3 months from discovery without being reveled?
Click to expand...
Another article I read stated the incident was reported to the FBI within a few days, but that they ordered it kept secret to "aid in the investigation." Whether there's any limit on that power or requirement for disclosure to anyone at any point I'm not sure.
 
Why did AT&T ever transfer this information to Snowflake?
What does Snowflake do with it?
Who else did Snowflake share the data with?

And yes of course the NSA / Five Eyes had this data. It's "legal" because the US FISA court signs off on a "warrant" for it, despite the obvious lack of probable cause of any specific crime, in a court case not open or published to the public, and in which only the government is present. They have to do this every three months or something like that. We know because one of these "warrants" leaked a while back, I think even before the Snowden stuff did. The difference vs. the Snowflake leak is that I believe the intelligence services may be getting it all in real-time from the call-switching equipment vs. having to wait for some high level report to be generated (not 100% sure about that though.)
 
I've been complaining about this BS forever now. These companies make it so difficult to log on in the name of security, yet these morons can't protect their own/our data!! It's pathetic!
 
"Researchers determined the root cause was a lack of enforced multi-factor authentication" - yeah, I don't believe that. Things like this are usually inside jobs. Somebody either personally used that password, or leaked/sold it.
 
Puiu said:
"Researchers determined the root cause was a lack of enforced multi-factor authentication" - yeah, I don't believe that. Things like this are usually inside jobs. Somebody either personally used that password, or leaked/sold it.
Click to expand...

Not really; brute forcing passwords is essentially trivial now, so no 2FA is basically asking to have *everything* stolen.

I'll say it over and over until it sticks: Having every single network have to manage user credentials separately leaves everyone at the mercy of whoever is the worst at security, given how the majority of people reuse the same basic passwords over and over again. Not only does 2FA need to be mandated going forward, there needs to be a mechanism where security gets offloaded (say, to the OS) so every website under the sun doesn't have to manage the same information over and over again.
 
gamerk2 said:
Not really; brute forcing passwords is essentially trivial now, so no 2FA is basically asking to have *everything* stolen.

I'll say it over and over until it sticks: Having every single network have to manage user credentials separately leaves everyone at the mercy of whoever is the worst at security, given how the majority of people reuse the same basic passwords over and over again. Not only does 2FA need to be mandated going forward, there needs to be a mechanism where security gets offloaded (say, to the OS) so every website under the sun doesn't have to manage the same information over and over again.
Click to expand...
Even the cheapest/free "security" measures have brute force protection. The wordpress websites I sometimes make have it and wordpress is known to have security issues. Spamming passwords should usually result in IP blacklisting.

I get mails everyday with reports of how "xxx IP tried 20 times to login". I also always get an email with "x account has logged in from x location". A few days ago I caught a suspicious login from another country which I immediately responded to.
 
You must log in or register to reply here.

Similar threads

midian182
AT&T confirms data leak affecting 73 million customers - after spending two weeks denying it
Replies
5
Views
279
Karlos95
Karlos95
A
US mobile customers are suffering from roaming outages, third-party provider Syniverse is to blame
Replies
2
Views
99
The Talking Tech
T
midian182
AMD investigates claims of breach after group offers stolen company data for sale
Replies
1
Views
94
manowar51
M

Latest posts

Back