AT&T reports second substantial records leak of 2024 • The Register

AT&T has admitted that cyberattackers grabbed a load of its data for the second time this year, and if you think the first haul was big, you haven’t seen anything: This latest one includes data on “nearly all” AT&T wireless customers – and those served by mobile virtual network operators (MVNOs) running on AT&T’s network. 

The American telco giant disclosed today that a security “breach” at a “third-party cloud platform” resulted in the theft of call and text metadata, though not of any personal information belonging to customers.

Nonetheless, some customers could be at risk because “a subset” of records contained in that online storage included one or more cell tower identification numbers, allowing snoops to potentially roughly geolocate a customer whose data was stolen in the attack. 

An AT&T spokesperson told The Register call and text records – specifically the details of those interactions, not the content – for just under 110 million customers were snatched from the compromised cloud storage.

That 110 million figure is basically 2022’s total subscriber count minus IoT devices and additional lines, we’re told. AT&T told us the final number includes affected MVNO customers. 

AT&T said it doesn’t believe any of the customer data stolen in the attack has been published online (yet), and that at least one person has been arrested by the FBI in connection to the theft of its records. 

The FBI didn’t directly answer our questions regarding the arrest, only saying that it had been working with AT&T on the matter since shortly after the incident was discovered in mid-April, and that the lag in public disclosure was permissible due to delay request allowances for reporting potentially materially substantial data thefts. 

One more flake in the snow bank

For those seeing “third party cloud platform” and immediately assuming this is related to the ongoing recovery from attackers targeting vendors’ accounts with cloud provider Snowflake – you’d be correct. AT&T is yet another high-profile customer caught up in the digital ransacking of Snowflake user accounts by miscreants using stolen customer login credentials.

If you’ve missed the avalanche, it’s believed about 165 companies had their internal data pilfered earlier this year from their individual Snowflake online database storage spaces.

It’s believed the crooks performed credential stuffing – using stolen username and password combinations for other apps or sites to see if those combos also work with Snowflake – to access some people’s Snowflake cloud storage. User credentials in at least some cases were obtained by info-stealing malware on victims’ computers.

That is to say, Snowflake itself wasn’t compromised in a way that allowed the data to be stolen; it was all swiped from individual customer accounts via underhandedly obtained valid logins.

Investigators at Mandiant believe affected Snowflake customers didn’t have multifactor authentication enabled on their accounts. Snowflake has since made MFA mandatory for all instances. 

We asked AT&T if it had forgotten to enable MFA on its Snowflake account, and that question went unanswered. 

Along with AT&T, the mass intrusion into Snowflake instances has affected companies like Ticketmaster and its Australian equivalent Ticketek, US auto supply store Advance Auto Parts, international bank Santander, and lots more.

AT&T said in March that records belonging to 73 million current and former customers were published on the dark web, making this latest admission the second massive customer data exposure it has experienced this year, though it is believed the data exposed in March was stolen several years ago.

The telco told us the two incidents are unrelated, and has repeatedly asserted that the data stolen in the previous attack didn’t come from its systems, either. ®