AT&T Data Breach and Hack: What Does it Mean to Me?

by | Jul 18, 2024 | Uncategorized | 0 comments

AT&T Data Breach and Hack: What Does it Mean to Me?

copyright 2024, Steven Burgess

It was ginormous. It included almost all wireless customers from 2022. Did you have an AT&T phone or other account in 2022? You’re one of 110 million (gasp). You be hacked, my friend. 

But the data wasn’t gathered from AT&T’s own servers. No, it was from a third party cloud storage company. 

Do you mean to tell me that AT&T doesn’t hold its own data under lock and key?

Yes. Yes, I do. And it’s not only AT&T. A very large percentage of cloud-based storage is contracted out to someone else besides the company you thought you were buying that storage from. The people you’re paying may not have any idea as to the actual physical location(s) of your data that you’re entrusting them with.

That third party was Snowflake, which warehouses data for AT&T, JetBlue, Mastercard, Canva, Orangetheory, and about 15,000 others.

Why would these companies entrust Snowflake with their data? Um … security?

No, seriously – warehousing data, making it available, providing huge data pipelines, and security are big, complicated, difficult deals and it makes sense to contract with a company that specializes in and knows – or at least, ostensibly knows – how to provide security. 

Snowflake’s chief information security officer told CNN that the company hasn’t found evidence that the hack was “caused by a vulnerability, misconfiguration or breach of Snowflake’s platform.”

 Well, how then? A phishing attack? An inside job? They’re not saying – yet. 

Rest assured, there will be a big, hairy investigation of this and someone will be giving up a pound or two of flesh. 

What got stolen?

According to AT&T, it was “records of calls and texts of nearly all of AT&T’s cellular customers.” These customers would be in the USA and Canada.

  • Telephone numbers of “nearly all” AT&T cellular customers from May 1 through Oct. 31, 2022. Also, for some subscribers on January 2, 2023.
  • Telephone numbers of customers of wireless providers that use AT&T’s network from during those same time frames.
  • Phone logs of the aforementioned customers, which include records of every number customers texted — including people on other wireless networks — along with the number of times they interacted — and how long the calls lasted.
  • For some (we don’t know how many or what percentage) subscribers, it also included cell tower data that would locate the phone’s location during a call or text.

What didn’t get stolen?

  • Personal information linking your account to you.
  • Names, credit card numbers, and social security numbers.
  • The content of texts and messages.
  • Recordings of phone conversations.
  • Location data – where you were when you made a call or text –  except for that noted above.
  • Anything else on your phone besides what got stolen, above.

Why should I care?

Although critical identifying info wasn’t revealed, it’s pretty easy to do a reverse phone number lookup to determine the name of the person who the account belonged to, their address, their age, the people they live with, and people associated with the subscriber. As a result, it will be an easy matter to send bogus texts to subscribers with all manner of nefarious schemes, for instance:

  • If location data was revealed, then it also reveals where you hang and when, giving a potential bad actor more information about you to assist their scheming, or even show up in a place you frequent. 
  • The “I know what you did” blackmail scam where a message is sent saying they saw you on an illegitimate website or at an illegal massage parlor, and demanding payment before they tell your spouse or business partner, or law enforcement. I can just see the mind’s momma shaking her finger and asking why you have a guilty conscience.
  • Looking at the metadata from phone and text records could allow a bad actor to figure out who your financial institution is and fake being a representative of that company in order to get you to reveal your login credentials, or to send them money.
  • Looking up personal information from your phone number could allow someone to know that it’s a senior citizen they may have luck preying on. Senior fraud happens to something like 100,000 seniors yearly, who are defrauded of several billion dollars.

These kinds of scams happen anyway, but this massive trove of data provides a rich source of potentially deceivable people. The scams I most often hear about are computer tech support scams, where a pop-up message tells the user their device is damaged or infected and needs fixing. The user is then filled into giving the supposed tech full remote access to their device. 

With this breach it may now be more a matter of WHEN than IF.

Who did it?

Authorities think it was an attack by John Binns, an American hacker who claimed responsibility for a

 massive 2021 theft of T-Mobile user data. He was arrested in Turkey near the beginning of May, 2024. An interesting character. It’s been reported that he believes, among other fascinating things, that a chip was implanted into his brain at birth (the devil made him do it). He had been fighting an indictment for the T-Mobile hack he allegedly perpetrated.

When did it happen?

AT&T said they found out about it on April 19, 2024. This was maybe a month after an earlier AT&T data leak hit the Dark Web. They let the public know via press release on July 12, 2024.

Why didn’t they tell everyone sooner? 

The US Department of Justice (DOJ) & the FBI asked them to wait. Huh. The FBI confirmed a delay in public disclosure citing an SEC rule regarding public safety. They wanted to figure out what kind of harm had happened and could happen before disclosure. Both agencies were working with AT&T in an ongoing investigation.

Is my AT&T data still out there?

Welllll…. AT&T paid a ransom of about 5.7 bitcoin (more than a third of a million dollars at the time) to someone acting as a go-between for the hacker(s) to delete the data and show proof of it having been deleted. He wanted a million at first but let it be cut down to a third of that. Generous.

You can trust hackers to delete what they stole, right? Well, those who ought to know think it was deleted.

What can I do?

AT&T has a resource for subscribers here.

You can review if, where, and when your email address and passwords associated with it are found on a trustworthy site called Have I Been Pwned?

Another resource for finding out if your email & passwords have been compromised is provided by Malwarebytes – note that they’re going to tell you to install their software, which isn’t a bad idea at all. 

 Anything else I should be thinking about here

Just a couple of prime policies for prevention include:

  • Set up two-factor authentication (2FA) on your personal accounts. It’s a pain, I know, but less of a pain than identity fraud or theft.
  • Don’t give anyone your social security number except your financial institution, government agencies, and your employer.
  • Password-protect your devices and don’t share your passwords.
  • Don’t use easy-to guess passwords.
  • Don’t ever click on links in an email – type the URL into a browser instead.
  • Don’t click on pop-ups.

There are a number of articles on hardening your systems and avoiding hacks on the Burgess Forensics blog 

The Federal Trade Commission (FTC) has some tips here. 

And yes, of course there’s already a class-action suit in the offing.

 

 

Related Posts

Email spoofing, scamming, and hacking

Email spoofing, scamming, and hacking, Copyright 2024 by Steve Burgess Email domain spoofing scams With fortunes, privacy, and identity fraud at stake, we have had a number of cases involving phishing and spoofing in the past few years and into the present where...

Somebody deleted stuff off my phone (I swear it wasn’t me!). Can I get it back?

- Copyright Steve Burgess 2024 Your phone is suddenly losing text, videos, photos. What’s happening? Are they gone forever? Have I been hacked? How do I avoid this in the future? What’s happening? Of course, it’s hard to tell without some history of the phone’s use,...

CSI Cases from Burgess Forensics #69 A Case of Hiphop Beef

The Stories are true; the names and places have been changed to protect the potentially guilty. It was almost closing time on Friday and my thoughts were turning to Barbequeing some of that mouth-watering Santa Maria tri-tip while my nose was turned to the scent of...

Email as a signed contract vs. fraudulent emails

Email as a signed contract vs. fraudulent emails We all send and receive email, but did you know that what you say in an email can be interpreted as a legal contract? And that sometimes, emails are fraudulent? Both are true. The Statute of Frauds Although email didn’t...

El Salvador Adopts BitCoin

El Salvador Adopts BitCoin copyright Steve Burgess, 2021 El Salvador just passed a law to make BitCoin (BTC) legal tender and is the first country to do so. It did something similar back in 2001, when it made the US Dollar the official currency, replacing the...

Keeping Your Bitcoin Safe

BitCoin. Everybody wants some. But what’s the best way to keep it safe once you’ve got it? And how to get it? First things first – you get BitCoin (and Etherium, and DogeCoin) from a cryptocurrency exchange, like you would from a “regular” currency exchange to turn...

Cyberbullying and Covid-19: 2021 Update

California defines a cyberbully as anyone who sends any online communication to deliberately frighten, embarrass, harass, or otherwise target another. The Cyberbullying Research Center defines it as “willful and repeated harm inflicted through the use of computers,...

Cybersecurity & Covid-19: Vulnerability and What to Do About It

Cybersecurity & Covid-19: Vulnerability and What to Do About It Steve Burgess, 2020 As if we didn’t have enough to worry about. With so many of us working from home (close to 90% of American corporations are encouraging or requiring employees to do so) and having...

Indian Summer Lovin’ – Tech Tips For a Warm Autumn

by Natalie Miller, 2019 With Indian Summer temperatures rising, here are some tips to help you make sure your devices are ready to conquer these warm days of Fall like you are. Check Those Pockets! Taking a dip in the pool, going for a paddle in a kayak, and jumping...

Electronic Waste and Recycling – What Your Old Devices Can Say About You

by Natalie Miller, 2019 With new models of phones and computers being released every year, wanting the latest and greatest is never a bad thing, but what about your old devices? The truth is that old devices can still hold all of the data you put on them or that they...

Pin It on Pinterest

Share This