AT&T Breach May Also Impact Millions of Boost, Cricket, H2O Customers

A breach of an AT&T cloud workspace has exposed phone numbers and metadata relating to calls and texts for nearly all AT&T wireless customers, as well as customers of other popular wireless providers.

In an 8-K filing with the SEC on Friday, AT&T revealed that it suffered a major data breach via a third-party cloud platform. As reported by Bloomberg, that platform was Snowflake. Leaked Snowflake account credentials have already been the source of hundreds of breaches of other brand name companies, like Ticketmaster, Santander, Neiman Marcus, and more.

The gravity of AT&T's case in particular is lost on few. While Securities and Exchange Commission (SEC) guidelines generally require that public corporations disclose material data breaches within four days of their discovery, AT&T's occurred three months prior to its reporting. The wait can be attributed to the US Department of Justice (DoJ), which has been directly involved in its aftermath. On May 9, and then again on June 5, the DoJ determined that "a delay in providing public disclosure was warranted." It also apprehended at least one person in connection to the crime.

What Happened

AT&T's hacker or hackers appear to have accessed its Snowflake workspace between April 14 and April 25 of this year.

During that 11-day window, they managed to exfiltrate records of customers' calls and texts during two periods: from May 1 to Oct. 31, 2022, and on the day of Jan. 2, 2023.

The May to October haul includes records of calls and texts, including the phone numbers involved, and information such as the volume and cumulative duration of those calls. The Jan. 2 records also included cell site identification numbers (unique identifiers for cell towers).

"Nearly all" of AT&T's wireless customers are affected, the company admitted, as well as customers of mobile virtual network operators (MVNOs) using AT&T's network. According to public resources, those MVNOs likely include popular wireless service providers like Boost Mobile, Cricket Wireless, H2O, and Straight Talk Wireless.

The Risk to Customers

Earlier this year, data belonging to more than 70 million AT&T customers leaked to the Dark Web. The trove included all the hallmark personally identifying information (PII) types, like Social Security numbers, mailing addresses, and dates of birth.

This time, none of the stolen data has as yet been observed on the public web, and customers' most sensitive PII has remained untouched.

Still, AT&T warned, "There are often ways, using publicly available online tools, to find the name associated with a specific telephone number."

Besides that, "The inclusion of cell site identification numbers in the stolen data is particularly alarming, as it could potentially allow for the triangulation of users' locations," Javvad Malik, lead security awareness advocate at KnowBe4, warned in an email. "This adds a physical dimension to the already extensive privacy violation and could expose individuals to highly targeted and convincing social engineering attacks, not to mention compromising the physical security of individuals, such as those trying to escape abusive relationships."

The more generic metadata, he added, "while perhaps not immediately recognized as sensitive, can paint a detailed picture of an individual's daily life, habits, and associations, making it a valuable asset for those with malicious intent."

The metadata can be used in follow-on attacks. "The exposed data could be exploited for sophisticated phishing attempts, identity theft, and other nefarious activities for years to come," Malik wrote. "It is a stark reminder that the repercussions of a data breach extend far beyond the initial incident and can have lasting consequences for the affected individuals."