AT&T Data Breach and Hack: What Does it Mean to Me?

copyright 2024, Steven Burgess

It was ginormous. It included almost all wireless customers from 2022. Did you have an AT&T phone or other account in 2022? You’re one of 110 million (gasp). You be hacked, my friend. 

But the data wasn’t gathered from AT&T’s own servers. No, it was from a third party cloud storage company. 

Do you mean to tell me that AT&T doesn’t hold its own data under lock and key?

Yes. Yes, I do. And it’s not only AT&T. A very large percentage of cloud-based storage is contracted out to someone else besides the company you thought you were buying that storage from. The people you’re paying may not have any idea as to the actual physical location(s) of your data that you’re entrusting them with.

That third party was Snowflake, which warehouses data for AT&T, JetBlue, Mastercard, Canva, Orangetheory, and about 15,000 others.

Why would these companies entrust Snowflake with their data? Um … security?

No, seriously – warehousing data, making it available, providing huge data pipelines, and security are big, complicated, difficult deals and it makes sense to contract with a company that specializes in and knows – or at least, ostensibly knows – how to provide security. 

Snowflake’s chief information security officer told CNN that the company hasn’t found evidence that the hack was “caused by a vulnerability, misconfiguration or breach of Snowflake’s platform.”

 Well, how then? A phishing attack? An inside job? They’re not saying – yet. 

Rest assured, there will be a big, hairy investigation of this and someone will be giving up a pound or two of flesh. 

What got stolen?

According to AT&T, it was “records of calls and texts of nearly all of AT&T’s cellular customers.” These customers would be in the USA and Canada.

• Telephone numbers of “nearly all” AT&T cellular customers from May 1 through Oct. 31, 2022. Also, for some subscribers on January 2, 2023.
• Telephone numbers of customers of wireless providers that use AT&T’s network from during those same time frames.
• Phone logs of the aforementioned customers, which include records of every number customers texted — including people on other wireless networks — along with the number of times they interacted — and how long the calls lasted.
• For some (we don’t know how many or what percentage) subscribers, it also included cell tower data that would locate the phone’s location during a call or text.

What didn’t get stolen?

• Personal information linking your account to you.
• Names, credit card numbers, and social security numbers.
• The content of texts and messages.
• Recordings of phone conversations.
• Location data – where you were when you made a call or text –  except for that noted above.
• Anything else on your phone besides what got stolen, above.

Why should I care?

Although critical identifying info wasn’t revealed, it’s pretty easy to do a reverse phone number lookup to determine the name of the person who the account belonged to, their address, their age, the people they live with, and people associated with the subscriber. As a result, it will be an easy matter to send bogus texts to subscribers with all manner of nefarious schemes, for instance:

• If location data was revealed, then it also reveals where you hang and when, giving a potential bad actor more information about you to assist their scheming, or even show up in a place you frequent. 
• The “I know what you did” blackmail scam where a message is sent saying they saw you on an illegitimate website or at an illegal massage parlor, and demanding payment before they tell your spouse or business partner, or law enforcement. I can just see the mind’s momma shaking her finger and asking why you have a guilty conscience.
• Looking at the metadata from phone and text records could allow a bad actor to figure out who your financial institution is and fake being a representative of that company in order to get you to reveal your login credentials, or to send them money.
• Looking up personal information from your phone number could allow someone to know that it’s a senior citizen they may have luck preying on. Senior fraud happens to something like 100,000 seniors yearly, who are defrauded of several billion dollars.

These kinds of scams happen anyway, but this massive trove of data provides a rich source of potentially deceivable people. The scams I most often hear about are computer tech support scams, where a pop-up message tells the user their device is damaged or infected and needs fixing. The user is then filled into giving the supposed tech full remote access to their device. 

With this breach it may now be more a matter of WHEN than IF.

Who did it?

Authorities think it was an attack by John Binns, an American hacker who claimed responsibility for a

 massive 2021 theft of T-Mobile user data. He was arrested in Turkey near the beginning of May, 2024. An interesting character. It’s been reported that he believes, among other fascinating things, that a chip was implanted into his brain at birth (the devil made him do it). He had been fighting an indictment for the T-Mobile hack he allegedly perpetrated.

When did it happen?

AT&T said they found out about it on April 19, 2024. This was maybe a month after an earlier AT&T data leak hit the Dark Web. They let the public know via press release on July 12, 2024.

Why didn’t they tell everyone sooner? 

The US Department of Justice (DOJ) & the FBI asked them to wait. Huh. The FBI confirmed a delay in public disclosure citing an SEC rule regarding public safety. They wanted to figure out what kind of harm had happened and could happen before disclosure. Both agencies were working with AT&T in an ongoing investigation.

Is my AT&T data still out there?

Welllll…. AT&T paid a ransom of about 5.7 bitcoin (more than a third of a million dollars at the time) to someone acting as a go-between for the hacker(s) to delete the data and show proof of it having been deleted. He wanted a million at first but let it be cut down to a third of that. Generous.

You can trust hackers to delete what they stole, right? Well, those who ought to know think it was deleted.

What can I do?

AT&T has a resource for subscribers here.

You can review if, where, and when your email address and passwords associated with it are found on a trustworthy site called Have I Been Pwned?

Another resource for finding out if your email & passwords have been compromised is provided by Malwarebytes – note that they’re going to tell you to install their software, which isn’t a bad idea at all. 

 Anything else I should be thinking about here

Just a couple of prime policies for prevention include:

• Set up two-factor authentication (2FA) on your personal accounts. It’s a pain, I know, but less of a pain than identity fraud or theft.
• Don’t give anyone your social security number except your financial institution, government agencies, and your employer.
• Password-protect your devices and don’t share your passwords.
• Don’t use easy-to guess passwords.
• Don’t ever click on links in an email – type the URL into a browser instead.
• Don’t click on pop-ups.

There are a number of articles on hardening your systems and avoiding hacks on the Burgess Forensics blog 

The Federal Trade Commission (FTC) has some tips here. 

And yes, of course there’s already a class-action suit in the offing.