American telecom service provider AT&T has confirmed that threat actors managed to access data belonging to "nearly all" of its wireless customers as well as customers of mobile virtual network operators (MVNOs) using AT&T's wireless network.
"Threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023," it said.
This comprises telephone numbers with which an AT&T or MVNO wireless number interacted – including telephone numbers of AT&T landline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month.
A subset of these records also contained one or more cell site identification numbers, potentially allowing the threat actors to triangulate the approximate location of a customer when a call was made or a text message was sent. AT&T said it will alert current and former customers if their information was involved.
"The threat actors have used data from previous compromises to map phone numbers to identities," Jake Williams, former NSA hacker and faculty at IANS Research, said. "What the threat actors stole here are effectively call data records (CDR), which are a gold mine in intelligence analysis because they can be used to understand who is talking to who — and when."
AT&T's list of MVNOs includes Black Wireless, Boost Infinite, Consumer Cellular, Cricket Wireless, FreedomPop, FreeUp Mobile, Good2Go, H2O Wireless, PureTalk, Red Pocket, Straight Talk Wireless, TracFone Wireless, Unreal Mobile, and Wing.
The name of the third-party cloud provider was not disclosed by AT&T, but Snowflake has since confirmed that the breach was connected to the hack that's impacted other customers, such as Ticketmaster, Santander, Neiman Marcus, and LendingTree, according to Bloomberg.
The company said it became aware of the incident on April 19, 2024, and immediately activated its response efforts. It further noted that it's working with law enforcement in their efforts to arrest those involved, and that "at least one person has been apprehended."
404 Media reported that a 24-year-old U.S. citizen named John Binns, who was previously arrested in Turkey in May 2024, is connected to the security event, citing three unnamed sources. He was also indicted in the U.S. for infiltrating T-Mobile in 2021 and selling its customer data.
However, AT&T emphasized that the accessed information does not include the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information.
"While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number," it said in a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC).
It's also urging users to be on the lookout for phishing, smishing, and online fraud by only opening text messages from trusted senders. On top of that, customers can submit a request to get the phone numbers of their calls and texts in the illegally downloaded data.
The malicious cyber campaign targeting Snowflake has landed as many as 165 customers in the crosshairs, with Google-owned Mandiant attributing the activity to a financially motivated threat actor dubbed UNC5537 that encompasses "members based in North America, and collaborates with an additional member in Turkey."
The criminals have demanded payments of between $300,000 and $5 million in return for the stolen data. The latest development shows that the fallout from the cybercrime spree is expanding in scope and has had a cascading effect.
WIRED revealed last month how the hackers behind the data thefts and extortion attacks procured' stolen Snowflake credentials from dark web services that sell access to usernames, passwords, and authentication tokens that are captured by stealer malware. This included obtaining access through a third-party contractor named EPAM Systems.
For its part, Snowflake this week announced that administrators can now enforce mandatory multi-factor authentication (MFA) for all users to mitigate the risk of account takeovers. It also said it will soon require MFA for all users in newly created Snowflake accounts.
Update
AT&T has reportedly paid the threat actors behind the breach $370,000 in cryptocurrency to delete what's believed to be the "only copy" of the data and provide a video demonstrating proof of deletion, according to WIRED.
The ransom amount is believed to have been paid back in May, according to a member of the notorious ShinyHunters hacking group that has claimed responsibility for the incident by exploiting unsecured Snowflake storage accounts.
The U.S. Federal Communications Commission (FCC) said it has "an ongoing investigation into the AT&T breach and we're coordinating with our law enforcement partners."