Huge AT&T Data Breach
Zack Whittaker ( Hacker News):
U.S. phone giant AT&T confirmed Friday it will begin notifying millions of consumers about a fresh data breach that allowed cybercriminals to steal the phone records of “nearly all” of its customers, a company spokesperson told TechCrunch.
In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages — such as who contacted who by phone or text — during a six-month period between May 1, 2022 and October 31, 2022.
[…]
AT&T’s Huguely told TechCrunch that the most recent compromise of customer records were stolen from the cloud data giant Snowflake during a recent spate of data thefts targeting Snowflake’s customers.
In a written statement shared with KrebsOnSecurity, the FBI confirmed that it asked AT&T to delay notifying affected customers.
[…]
Earlier this year, malicious hackers figured out that many major companies have uploaded massive amounts of valuable and sensitive customer data to Snowflake servers, all the while protecting those Snowflake accounts with little more than a username and password.
[…]
Other companies with millions of customer records stolen from Snowflake servers include Advance Auto Parts, Allstate, Anheuser-Busch, Los Angeles Unified, Mitsubishi, Neiman Marcus, Progressive, Pure Storage, Santander Bank, State Farm, and Ticketmaster.
AT&T’s SEC filing says some cellular site tower information is also among the data accessed by the intruders, which could be used to determine the approximate location of where a call was made or text message sent.
This raises an important question: Was the AT&T customer data stolen from a law enforcement portal set up by AT&T? Sure seems like it.
I’ve also seen a section of the hacked AT&T data. It is incredibly sensitive. The numbers dialed by targets can include apparent family members, businesses, and other places that build a detailed picture of someone’s life. Staggering data breach.
Update (2024-07-15): Matthew Green:
If you want to avoid disasters like the AT&T breach, there are basically only three solutions:
- Don’t store data
- Don’t store unencrypted data
- Have security practices like Google
3 Comments RSS · Twitter · Mastodon
@Bri According to some initial reporting I’ve read, answer is “yes” MVNO data is implicated. (Tho take that with a grain of salt, since I don’t have any references to offer.)
I understand /why/ the FBI might ask AT&T and others to delay notifications, but when it also means doing things like delaying a password resets (if they're deemed necessary) that makes me feel pretty uneasy. Ugh.
Will also be curious to see if AT&T bears any requirements to notify non-customers whose data they hold. Granted, I am not that personally concerned about my phone metadata, but it really does make you think about how many people indirectly (even for legit reasons) have your data, and yet you likely have zero recourse if things go wrong.