Hackers stole call, text records of “nearly all” of AT&T’s cellular customers
Hackers leveraging stolen Snowflake account credentials have stolen records of calls and texts made by “nearly all” of AT&T’s cellular customers from May to October 2022, the company has confirmed.
“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. It also does not include some typical information you see in your usage details, such as the time stamp of calls or texts,” AT&T said.
Many other companies had data stolen via compromised Snowflake accounts
Snowflake is a company whose cloud-based storage and analytics offering is used by 9,800+ organizations around the world.
AT&T is among the 160+ organizations that have been affected by the coordinated data theft campaign pulled off by threat actors who got their hands on compromised/stolen credentials for Snowflake accounts.
The accounts that ended up being accessed were secured only via a password, which made the data grab easy.
AT&T: Stolen data isn’t publicly available
“Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022 – October 31, 2022,” AT&T detailed.
“The compromised data also includes records from January 2, 2023, for a very small number of customers. The records identify the telephone numbers an AT&T or MVNO cellular number interacted with during these periods. For a subset of records, one or more cell site identification number(s) associated with the interactions are also included.”
While the stolen data does not include customer names, the company has acknowledged that publicly available online tools can be used to find the name associated with a specific telephone number.
“At this time, we do not believe that the data is publicly available,” the company said.
“We have taken steps to close off the illegal access point. We are working with law enforcement in its efforts to arrest those involved in the incident. We understand that at least one person has been apprehended.”
This breach is not related to the one from April, when data of tens of million customers past and present AT&T customers was leaked.
Snowflake taking action
While the onus of properly securing Snowflake accounts is on the company’s customers, this incident has made the company realize that pushing customers to implement security measures and making it easier to implement them is crucial to minimizing the possibility of similar breaches in the future.
Snowflake did not catch too much flack for these breaches, as it was obvious that part of the fault rested with the customers themselves. Snowflake has also promply called in external experts to investigate the incident and has regularly updated the public and its customers about the investigators’ findings – actions that helped stymie criticism.
But the company has obviously rightly judged that if they don’t take serious measures to make customer up their security levels, they might suffer a serious blow to their reputation and bottom line if a similar attack occurs again.
UPDATE (July 15, 2024, 05:45 a.m. ET):
AT&T paid out $370,000 to a hacker that, along with John Binns – a US citizen recently arrested in Turkey for allegedly being involved in stealing sensitive information from T-Mobile in 2021 and selling it – apparently stole from AT&T and other organizations via compromised Snowflake accounts.
The money was paid to delete the data and provide proof of deletion, Kim Zetter reported for WIRED. The deal was brought about with the help of a security researcher who goes by “Reddington”, and who “facilitated a number of negotiations between the hackers and victims of the Snowflake account breaches.”