Call, text logs for 110M AT&T customers stolen from compromised cloud storage

AT&T has admitted that cyberattackers grabbed a load of its data for the second time this year, and if you think the first haul was big, you haven't seen anything: This latest one includes data on "nearly all" AT&T wireless customers - and those served by mobile virtual network operators (MVNOs) running on AT&T's network. 

The American telco giant disclosed today that a security "breach" at a "third-party cloud platform" resulted in the theft of call and text metadata, though not of any personal information belonging to customers.

Nonetheless, some customers could be at risk because "a subset" of records contained in that online storage included one or more cell tower identification numbers, allowing snoops to potentially roughly geolocate a customer whose data was stolen in the attack. 

An AT&T spokesperson told The Register call and text records – specifically the details of those interactions, not the content – for just under 110 million customers were snatched from the compromised cloud storage.

That 110 million figure is basically 2022's total subscriber count minus IoT devices and additional lines, we're told. AT&T told us the final number includes affected MVNO customers. 

AT&T said it doesn't believe any of the customer data stolen in the attack has been published online (yet), and that at least one person has been arrested by the FBI in connection to the theft of its records. 

The FBI didn't directly answer our questions regarding the arrest, only saying that it had been working with AT&T on the matter since shortly after the incident was discovered in mid-April.

It's interesting that AT&T was asked by the US Dept of Justice to delay public disclosure of this latest theft, until now, on the grounds that it might affect national security or public safety.

"AT&T is working with law enforcement in its efforts to arrest those involved in the incident," the telco said in its big reveal today via the SEC. "Based on information available to AT&T, it understands that at least one person has been apprehended."

One more flake in the snow bank

For those seeing "third party cloud platform" and immediately assuming this is related to those earlier intrusions into the user accounts of cloud provider Snowflake - you'd be correct. AT&T is yet another high-profile customer caught up in the digital ransacking of Snowflake user accounts by miscreants using stolen customer login credentials.

If you've missed the avalanche, it's believed about 165 companies had their internal data pilfered earlier this year from their individual Snowflake online database storage spaces.

It's believed the crooks performed credential stuffing – using stolen username and password combinations to see if those combos also work with Snowflake – to access some people's Snowflake cloud storage. User credentials in at least some cases were obtained by info-stealing malware on victims' computers.

That is to say, Snowflake itself wasn't compromised in a way that allowed the data to be stolen; it was all swiped from individual customer accounts via underhandedly obtained valid logins.

• AT&T, Verizon, Sprint, T-Mobile US fined $200M for selling off people's location info
• Hudson Rock yanks report fingering Snowflake employee creds snafu for mega-leak
• US govt pays AT&T to let cops search Americans' phone records – 'usually' without a warrant
• Advance Auto Parts: 2.3M people's data accessed when crims broke into our Snowflake account

Investigators at Mandiant believe affected Snowflake customers didn't have multifactor authentication enabled on their accounts. Snowflake has since made MFA mandatory for all instances. 

We asked AT&T if it had forgotten to enable MFA on its Snowflake account, and that question went unanswered. 

Along with AT&T, the mass intrusion into Snowflake instances has affected companies like Ticketmaster and its Australian equivalent Ticketek, US auto supply store Advance Auto Parts, international bank Santander, and lots more.

AT&T said in March that records belonging to 73 million current and former customers were published on the dark web, making this latest admission the second massive customer data exposure it has experienced this year, though it is believed the data exposed in March was stolen several years ago.

The telco told us the two incidents are unrelated, and has repeatedly asserted that the data stolen in the previous attack didn't come from its systems, either. ®