Phone, text message records of ‘nearly all’ AT&T customers stolen
Telecommunications giant AT&T announced Friday that hackers obtained six months of phone and text message records of “nearly all” of the company’s customers.
An AT&T spokesperson confirmed the data was pulled from Snowflake, making this incident one of the most significant data exfiltration attacks tied to the cloud platform’s recent security woes. AT&T said that they believe at least one person linked to the breach is under federal custody, per the company’s SEC filing describing the incident.
AT&T said that hackers were able to exfiltrate the sensitive information ranging from May 2, 2022 to October 31, 2022, as well as information from January 2, 2023. The data includes phone numbers that an AT&T mobile phone communicated with, including AT&T landline users. In some cases, the data also contains specific cell site ID numbers linked to these interactions. The data does not include content, the timestamps of any calls or texts, social security numbers, dates of birth or other personally identifiable information.
AT&T learned of the incident on April 19 and believes that the hackers accessed the Snowflake workspace between April 14 and April 25, 2024.
AT&T is the latest in a string of major firms to suffer a data breach via the cloud storage platform Snowflake, most of which are believed to have occurred due to a lack of multi-factor authentication. Asked for comment, a Snowflake representative pointed to a blog post by CEO Brad Jones that claims the company has “not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” citing investigations by the incident response firms Mandiant and Crowdstrike.
The company announced on Thursday that administrators can now enforce mandatory multi-factor authentication for Snowflake users.
The stolen data will be a goldmine for scammers, financially-motivated hackers, pig butchers, and nation-backed threats alike. AT&T says they do not believe the data has been made public.
Chris Frascella, a counsel at the Electronic Privacy Information Center, said that the cell site ID numbers can be used to deduce approximate locations, which can further reveal sensitive information — like if an individual made a call near a protest. It’s not yet clear, however, if individuals who are not AT&T customers and received a call from a person in the breached data set would be impacted by approximate location metadata.
“Every phone number you’ve called or received has been disclosed, during the time period that the breach covers, so even though they don’t necessarily know the content of the communications, you probably still don’t want them knowing who you’re getting and giving calls to and from,” Frascella said. “Are you calling an oncologist office? Are you calling your attorney and is that a divorce attorney? Like sensitive types of calls that even just knowing the phone number can reveal information about you.”
Though AT&T has said that the stolen material does not include names of customers, experts caution that matching identities to phone numbers is trivial. “The business phone numbers will be easy to identify and private numbers can be matched to names with public record searches,” said Thomas Richards, a principal consultant at Synopsys Software Integrity Group.
The Federal Communications Commission said it is investigating the breach.
A spokesperson for the Cybersecurity and Infrastructure Security Agency said in a statement that the agency is working to assess the impact of the breach.
Updated July 12, 2024: This article has been updated to include a statement from the Federal Communications Commission and comment from privacy and security experts.
