Scammers Steal Phone, Text Message Records of Nearly Every AT&T Customer – Krebs on Security

AT&T Corp. AT&T today revealed that a new data breach has exposed the phone call and text message records of approximately 110 million people, nearly all of its customers. AT&T said it delayed disclosing the incident in response to “national security and public safety concerns,” noting that some of the records included data that could be used to determine where a call was made or a text message sent. AT&T also acknowledged that the customer records were exposed in a cloud database protected only by a username and password (no multi-factor authentication is required).

In a regulatory file with the United States Securities and Exchange Commission Today, AT&T said cyber attackers accessed an AT&T workspace on a third-party cloud platform in April, downloading files containing call and text interactions with customers between May 1 and October 31, 2022, and January 2, 2023.

The company said the stolen data includes call and text message records for wireless carriers that resell AT&T’s service, but does not include the content of calls or text messages, Social Security numbers, dates of birth or any other personally identifiable information.

However, the company said a subset of the stolen records included information about the location of the subscriber’s nearest cell towers, data that could be used to determine the approximate location of the customer device that initiates or receives those text messages or phone calls.

“While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific phone number,” AT&T authorized.

AT&T said it was notified of the breach on April 19, but delayed its disclosure at the request of federal investigators. At least one person has been arrested by authorities in connection with the breach, according to information the company provided to the SEC.

In a written statement shared with KrebsOnSecurity, the FBI confirmed that it had asked AT&T to delay notifying affected customers.

“Shortly after identifying a potential breach of customer data and prior to making its determination as to its materiality, AT&T contacted the FBI to report the incident,” the FBI statement read. “In assessing the nature of the breach, all parties discussed a potential delay in reporting under SEC Rule 1.05(c) due to potential risks to national security and/or public safety. AT&T, the FBI, and DOJ worked collaboratively throughout the first and second delay processes, while sharing key threat intelligence to strengthen the FBI’s investigative capabilities and assist AT&T in its incident response efforts.”

Techcrunch quoted an AT&T spokesperson as saying that customer data was stolen following an ongoing data breach involving more than 160 customers of the cloud data provider. Snowflake.

Earlier this year, malicious hackers discovered that numerous large enterprises had uploaded massive amounts of valuable and sensitive customer data to Snowflake servers, while protecting those Snowflake accounts with little more than a username and password.

Wired reported last month that the hackers behind the Snowflake data breaches purchased stolen Snowflake credentials from dark web services that sell access to usernames, passwords, and authentication tokens that are siphoned off by information-stealing malware. For its part, Snowflake says it now requires all new customers to use multi-factor authentication.

Other companies that had millions of customer records stolen from Snowflake servers include: Advanced Auto Parts, Allstate, Anheuser-Busch, Los Angeles Unified, Mitsubishi, Neiman Marcus, Progressive, Pure storage, Santander Bank, State FarmAnd Ticketmaster.

Earlier this year, AT&T reset passwords for millions of customers after the company finally acknowledged a 2018 data breach involving approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.

Marc Burnett is an application security architect, consultant and author. Burnett said the only real use for the data stolen in AT&T’s latest security breach is to know who contacts whom and how often.

“What concerns me most about this AT&T data breach of ALL customer call and text messages is that this isn’t one of their core databases; it’s metadata about who is contacting who,” Burnett wrote on Mastodon. “Which makes me wonder what use call logs are without timestamps and names.”

It remains unclear why so many large companies persist in believing it’s acceptable to store so much sensitive customer data with so few security protections. For example, Advance Auto Parts said the exposed data included the full names, Social Security numbers, driver’s licenses and government-issued identification numbers of 2.3 million people who were former employees or job applicants.

This may be because, aside from the class action lawsuits that invariably follow these breaches, few companies are held accountable for sloppy security practices. AT&T told the SEC that it does not believe the incident is likely to have a material impact on AT&T’s financial condition or results of operations. AT&T reported revenue of more than $30 billion in its most recent quarter.