From targeted wiretaps to bulk surveillance dragnets, phone companies have been at the center of privacy concerns for decades—and their time in the limelight isn’t over yet. On Friday, telecom giant AT&T announced that it recently suffered a data breach impacting call and text messaging records of “nearly all” its customers. The company is in the process of notifying about 110 million people that they were affected.
AT&T said in a US Securities and Exchange Commission filing that it learned about the data breach on April 19. Attackers exfiltrated data between April 14 and April 25. The company said in its SEC submission that the US Justice Department authorized delayed disclosure of the breach on May 9 and again on June 5, pending investigation. AT&T added that it is “working with law enforcement in its efforts to arrest those involved in the incident.” So far, “at least one person has been apprehended.”
“Yeah, this is really bad,” says Jake Williams, vice president of research and development at the cybersecurity consultancy Hunter Strategy. “What the threat actors stole here are essentially call data records. These are a gold mine in intelligence analysis because they allow someone to understand networks—who is talking to whom and when. And threat actors have data from previous compromises to map phone numbers to identities. But even without identifying data for a phone number, closed networks—where numbers only communicate with others in the same network—are almost always interesting.”
The incident is significant not only because of its sheer scale and reach but because AT&T says it is the latest in a staggering spate of data thefts that resulted from attackers compromising organizations’ Snowflake cloud accounts. Snowflake is a data warehousing platform, and attackers collected its customers’ account credentials in recent months to steal hundreds of millions of records from about 165 Snowflake clients, including Ticketmaster, Santander bank, and LendingTree’s QuoteWizard.
The AT&T data is from both landline and cellular accounts and spans May 1, 2022, to October 31, 2022. A smaller, undisclosed number of people also had records from January 2, 2023, stolen in the breach. The company said on Friday that the data trove “does not contain the content of calls or texts” and does not include the date and time of communications. But attackers did make off with phone numbers and a massive amount of so-called “metadata” about calls and texts, including who contacted whom, call durations, and tallies of a customer’s total calls and texts. The trove also includes some cell site identification numbers—essentially cell tower data that can be used to approximate a cellphone’s location when it made or received a call or text.
The data includes some records of people who are customers of phone carriers—known as “mobile virtual network operators”—that contract with AT&T to use the larger company’s networks and infrastructure for their service. And, crucially, the stolen trove exposes people who have no relationship with AT&T when they communicated with an AT&T customer during the relevant time spans.
Though the breach is not a worst-case scenario in every possible way—the data does not, for example, include identifying customer information like Social Security numbers—it could be a gold mine for attackers looking to construct compelling phishing attacks and other scams to target individuals or specific communities of people. And the breach underscores that even without the contents of communications, leaked metadata still has major implications for people’s privacy and security. This is why privacy advocates have long made a distinction between communication platforms—namely, the secure messaging app Signal—that are designed to generate the absolute bare minimum of metadata, versus other communication platforms that don’t curtail metadata use to the same degree. This even includes other end-to-end encrypted services like WhatsApp.
The Google-owned cybersecurity firm Mandiant investigated the string of Snowflake account intrusions and said in June that financially motivated criminal hackers, tracked under the name UNC5537, are behind the attacks. The group used info-stealing malware to grab credentials for companies’ Snowflake accounts and then easily logged into any accounts that didn’t have two-factor authentication enabled. The security feature was turned off by default on Snowflake accounts. Snowflake has since put new multifactor authentication policies in place.
AT&T emphasizes that it “does not believe” the data stolen in the breach is publicly available. But that doesn’t mean that it poses no threat from the actor that stole it. On Friday, the US Cybersecurity and Infrastructure Security Agency released an alert about the situation. And, though only a handful of victims of the Snowflake rampage have come forward, hackers have already been advertising, trying to sell, and demanding ransoms from impacted companies over data stolen from their Snowflake accounts. Actors including ShinyHunters and another account going by the handle Sp1d3rHunters have been advertising the data on the cybercrime marketplace BreachForums, which was recently resurrected after being taken down by law enforcement, and demanding companies pay millions for the data to be removed.
Additional reporting by Matt Burgess.