Hackers Downloaded Call Logs from Cloud Platform in AT&T Breach

Telecommunications giant AT&T has revealed that customer data has been illegally downloaded by threat actors.

Hackers have downloaded the data from AT&T’s its workspace on a third-party cloud platform, the company confirmed in a statement published on July 12.

According to a filing with the US Securities and Exchange Commission (SEC), the company first learned that call logs had been accessed and copied unlawfully on April 19, 2024.

AT&T confirmed that, based on an investigation, the data includes files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022, and October 31, 2022. 

The compromised data also includes records from January 2, 2023, for a very small number of customers. 

“The breach against AT&T is huge and will certainly worry any customer whose data has been leaked. Customers should exercise extreme caution and be on the lookout for any potential phishing attacks or other types of fraud. With the type of data stolen, SMS phishing could be particularly prevalent,” said Christiaan Beek, Senior Director Threat Analytics, Rapid7.

While the data does not contain the content of calls or texts, records identify the telephone numbers an AT&T or MVNO cellular number interacted with during the periods mentioned.

The company also does not believe any personally identifiable information, such as social security numbers and dates of birth, has been affected. At the time, the company issued a statement saying it did not believe that the data is publicly available. Operations at AT&T have not been affected.

In the SEC filing, AT&T said it has taken additional cybersecurity measures in response to this incident, including closing off the point of unlawful access. AT&T will notify current and former impacted customers.

This latest AT&T data breach is not related to an earlier incident which saw 73 million customer and former customer records advertised on a dark web marketplace in April.

Snowflake At the Source of the AT&T Breach

Reports suggest that the third-party cloud provider affected was Snowflake.

Elliott Wilkes, CTO of Advanced Cyber Defence Systems (ACDS), commented: “This breach appears to be the result of an attacker exfiltrating AT&T data stored in a Snowflake account, adding over 100 million affected customers to an already staggering volume of data leaked from Snowflake accounts. It is possible that the Snowflake attack might end up as one of the largest data breaches to date.”

Data warehousing platform Snowflake has been at the center of a spate of data thefts affecting its users.

This includes Ticketmaster, which confirmed unauthorized activity within a third-party cloud database environment containing company data earlier in June 2024.  

To date, over 160 organizations using snowflake have been notified that they have potentially been exposed.

In Mandiant’s analysis of the Snowflake incident, it identified financially motivated threat actor, named UNC5537, as advertising stolen data for sale on cybercrime forums from some victims.

Mandiant researchers said that UNC5537 is “systematically” compromising Snowflake customer instances using stolen customer credentials.

In June, Jake Williams, former US National Security Agency (NSA) hacker and Faculty member at IANS Research, urged organizations to build an inventory of any data they have in Snowflake. They should also be aggressively rotating/invalidating authentication material, including API keys and access tokens, that may have found its way into a Snowflake instance, especially ones managed by a third party.

Williams further advised that whether your business is a Snowflake customer or not, vendor management teams need to be reaching out to service providers to make sure they are aware of this issue.

“Ask if your data is in one of their Snowflake instances. Also ask whether they can affirmatively state that any of your data shared with other parties is not in a Snowflake instance,” he said.

MFA in the Spotlight

A lack of multi-factor authentication (MFA) was not enabled in many Snowflake incidents, meaning successful authentication only required a valid username and password.

“Software vendors, cloud and infrastructure providers, technology companies and the like need to urgently enforce MFA by default,” Wikes said. “This must not be a premium feature with added cost but standard security, table stakes for putting your products on the market.”

In an update in June, Brad Jones, CISO at Snowflake, said that the company is developing a plan to require its customers to implement advanced security controls, MFA or network policies.