AT&T, one of the US biggest network operators, confirms a massive data breach that happened in April. The hack resulted in a massive leak of user data – hackers allegedly got their hands on info about interactions via calls and messages. It affects not just AT&T customers themselves, but also the users of mobile virtual network operators that use AT&T’s network as a basis.
AT&T Data Breach Affects All Customers of Wireless Communications
On July 13, 2024, AT&T published a SEC filing regarding the several-month investigation of the malicious activity. As it turned out, the hackers managed to get access to company’s databases and keep it for several weeks. From April 14 to April 25, 2024, threat actors extracted quite a substantial amount of information about the customers of the company and related organizations (MVNOs).
List of mobile virtual network operators affected by the breach
- Good2Go
- Unreal Mobile
- Wing
- TracFone Wireless
- FreedomPop
- Cricket Wireless
- Boost Infinite
- H2O Wireless
- Consumer Cellular
- PureTalk
- Straight Talk Wireless
- Black Wireless
In particular, AT&T discloses the leakage of files that contain data about calls and SMS sent between numbers (date, call durations, phone numbers etc). The actuality of the leak, however, is in question: adversaries allegedly got their hands only on older databases, specifically one that have kept records from May to October 2022. It is not clear from the company’s filing whether hackers had access to more files, but exfiltrated only this part, or this was the only piece of data they managed to get to.
But even with this, lesser scale of the breach, the consequences are not ones to ignore. The data from the exact breach contains so-called cell site identification numbers. Those are special codes that identify the cell tower(s) each of the call participants were connected to. With that info, and also data from several other leaks from AT&T, especially ones that coincide in dates with what was leaked, hackers can get detailed information on who, where from and how long was talking.
How did AT&T Hack Happen?
Following the disclosure of the hack, a spokesperson of AT&T disclosed that the hack take place at Snowflake’s cloud DBs. As it turned out earlier, the cloud tech company ignored important account protection measures, which led to a massive number of companies getting consequently hacked. And AT&T appears to be yet another victim. Hackers appear to access databases that the telecom company kept in the Snowflake cloud storages.
The ongoing investigation already figured out that the Snowflake’s flaws are exploited by one specfic group of cybercriminals. In particular, Mandiant names several citizens of North American countries and Turkey as guilty for all these attacks. Still, despite the power of US law enforcements, these actors are not detained yet.
Should I be concerned?
Although the potential of the breach is rather high, the leaked data is useful almost exclusively in targeted attacks. AT&T specifically pointed out that hackers did not leak any sensitive information, like SSN or personal info.
Nonetheless, the company likely has something it does not want to disclose, as they promise to “notify the customers about their data exposed in the breach”. Sure enough, this may touch just the phone calls and SMS that I’ve mentioned above. But it is a bad idea to underestimate what hackers could have leaked – this never went well historically.
