AT&T has admitted that cyberattackers grabbed a load of its data for the second time this year, and if you think the first haul was big you haven’t seen anything: This one includes data on “nearly all” AT&T wireless customers – and those served by mobile virtual network operators (MVNOs) running on AT&T’s network.
The telco giant reported today that a “breach” at a “third-party cloud platform” resulted in the theft of call and text metadata, but not of any personal information belonging to customers. Nonetheless, some customers could be at risk because “a subset” of records contained in that storage account included one or more cell tower identification numbers, allowing any potential miscreants to roughly geolocate a customer whose data was stolen in the attack.
An AT&T spokesperson told The Register that call/text records for just under 110 million customers were exposed in the incident, though that’s based on the company’s subscriber count from its 2022 annual report, we’re told.
The 110 million figure is derived from 2022’s total subscriber count, minus IoT devices and additional lines, we’re told. AT&T told us the 110 million number includes affected MVNO customers.
AT&T said it doesn’t believe any of the customer data stolen in the attack has been published online (yet), and that at least one person has been arrested by the FBI in connection to the theft of its records.
The FBI didn’t directly answer our questions regarding the arrest, only saying that it had been working with AT&T on the matter since shortly after the incident was discovered in mid-April, and that the lag in public disclosure was permissible due to delay request allowances for reporting potentially materially substantial data thefts.
One more flake in the snow bank
For those seeing “third party cloud platform” and immediately assuming this is related to the ongoing recovery from attackers targeting vendors’ accounts with cloud provider Snowflake – you’d be correct. AT&T is yet another high-profile customer affected by the digital ransacking of Snowflake user accounts using stolen customer login credentials.
If you’ve missed the avalanche, it’s believed about 165 companies had their internal data pilfered earlier this year from their individual Snowflake online database storage.
It’s believed the crooks performed credential stuffing – using stolen username and password combinations for other apps or sites to see if those combos also work with Snowflake – to access some people’s Snowflake cloud storage. User credentials in at least some cases were obtained by info-stealing malware on victims’ computers.
That is to say, Snowflake itself wasn’t compromised in a way that allowed the data to be stolen; it was swiped from individual customer accounts via valid logins.
- AT&T, Verizon, Sprint, T-Mobile US fined $200M for selling off people’s location info
- Hudson Rock yanks report fingering Snowflake employee creds snafu for mega-leak
- US govt pays AT&T to let cops search Americans’ phone records – ‘usually’ without a warrant
- Advance Auto Parts: 2.3M people’s data accessed when crims broke into our Snowflake account
Investigators at Mandiant believe affected Snowflake customers didn’t have multifactor authentication enabled on their accounts. Snowflake has since made MFA mandatory for all instances.
We asked AT&T if it had forgotten to enable MFA on its Snowflake account, and that question went unanswered.
Along with AT&T, the mass intrusion into Snowflake instances has affected companies like Ticketmaster and its Australian equivalent Ticketek, US auto supply store Advance Auto Parts, international bank Santander, and lots more.
AT&T said in March that records belonging to 73 million current and former customers were published on the dark web, making this latest admission the second massive customer data exposure it has experienced this year, though it is believed the data exposed in March was stolen several years ago.
The US telco told us the two incidents are unrelated, and has repeatedly asserted that the data stolen in the previous attack didn’t come from its systems, either. ®
