In one of the most significant data breaches in recent history, hackers stole AT&T customers’ call and text metadata spanning several months.
Hackers broke into a cloud platform used by AT&T and downloaded call and text records of “nearly all” of AT&T’s cellular customers across a several month period, AT&T announced early on Friday.
The stolen data, which mostly impacts calls and texts made between May 2022 and October 2022, presents a hugely significant and unprecedented data breach for AT&T and the telecom industry more broadly. Metadata—which shows what numbers a customer interacted with—is typically only available to law enforcement in a targeted way under legal process. Here, outside hackers managed to steal the data themselves. In its announcement AT&T said it believes that authorities have already apprehended one of the people involved in the breach.
“In April, AT&T learned that customer data was illegally downloaded from our workspace on a third-party cloud platform. We launched an investigation and engaged leading cybersecurity experts to understand the nature and scope of the criminal activity. We took steps to close off the illegal access point,” AT&T’s statement starts.
“Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers and customers of mobile virtual network operators (MVNOs) on AT&T’s network, as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022—October 31, 2022,” the statement adds. MVNOs are other telecommunications companies that essentially piggyback off another’s infrastructure to provide their own services and products.
AT&T said some of the stolen data also impacted records from January 2, 2023 for “a very small number of customers.”
In this case, AT&T said the stolen metadata did not include the timestamps of calls or texts, meaning the hackers could not see when an AT&T customer dialed a certain number. But they could still see which number was called or texted, information that is still highly sensitive and personal. As AT&T points out, sometimes it is possible to use publicly available tools to then discover the identity of a person who owns a particular phone number.
AT&T said it does not believe the data is publicly available.
AT&T told 404 Media that the third-party cloud service that was targeted was Snowflake, a data warehousing tool. Snowflake is at the center of an ever increasing number of serious and high profile breaches, including Ticketmaster and Santander. In June, cybersecurity company Mandiant said it had found hundreds of Snowflake customers’ credentials exposed by infostealer malware since 2020. Infostealers typically harvest credentials from infected machines, including usernames and passwords but also authentication tokens and cookies. Many of these credentials are then freely distributed on Telegram everyday.
When asked for comment, Snowflake pointed to a blog post the company published in May written by the company’s CISO Brad Jones. “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” Jones wrote. Snowflake added in an email that characterization has been verified by Mandiant and CrowdStrike, another cybersecurity firm.
In a filing posted to the SEC website, AT&T said on May 9 and June 5, the U.S. Department of Justice determined that delaying public disclosure of the breach was warranted. AT&T told 404 Media that the agency responsible for the apprehension of a suspect was the FBI. The FBI did not respond to a request for comment.
Senator Ron Wyden told 404 Media in a statement that “This is not the first data breach revealed by a major phone company and it won’t be the last. These hacks, which are almost always the result of inadequate cybersecurity, won’t end until the FCC starts holding the carriers accountable for their negligence. These companies will keep shortchanging customer security until it hits them in the wallet with billion dollar fines.”
Update: This piece has been updated to include additional information from AT&T’s SEC filing.