AT&T reportedly paid ransom for deletion of stolen call logs after culprit allegedly detained

The scale of AT&T’s data breach continued to widen over the weekend, with reports emerging that AT&T paid a $370,000 ransom to a hacker who obtained the logs of calls and texts to more than 100 million customers.

Reporters from WIRED and Bloomberg spoke to a hacker who claimed to have been paid by AT&T, providing both outlets with a Bitcoin wallet address and a video of themselves deleting the data. 

AT&T declined to comment when asked about the payment, which was allegedly made in May. Writing for WIRED, cybersecurity journalist Kim Zetter reported that the unidentified hacker is part of the ShinyHunters hacking group and worked with hacker John Erin Binns on organizing the stolen data. 

Erin Binns is best known for taking credit for a data breach involving T-Mobile in 2021. He is a U.S. citizen but is believed to currently reside in Turkey, where his mother is from. Over the weekend, 404 Media reported that Erin Binns was involved in the AT&T data theft.

Erin Binns was detained by Turkish authorities in May after being indicted for his role in the T-Mobile hack — Zetter was told this is why AT&T paid the ransom to another hacker who Erin Binns allegedly shared access to the data with. 

Zetter reported that a researcher who facilitated the ransom payment told her AT&T was likely the first of the more than 165 organizations impacted by a string of thefts from customers of data storage giant Snowflake. 

A Snowflake spokesperson did not address several questions about the new reporting, instead directing Recorded Future News to a statement from last week indicating the company has made several changes to its products that allow customers to make multifactor authentication mandatory. 

Importance of call data records

AT&T told the SEC on Friday that metadata from “nearly all” call logs and texts made by AT&T customers over a six-month period in 2022 was stolen.

A spokesperson for the telecom giant confirmed that the number of people affected was about 109 million. 

While the breach did not include text messages or call recordings, it did involve “records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (MVNO) using AT&T’s wireless network.”

“These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month,” the company said in the SEC filing. 

“For a subset of records, one or more cell site identification number(s) are also included. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”

The researcher who facilitated the ransom payment told Zetter that Erin Binns personally showed him how easy it was to identify someone by information included in the breached data. 

Multiple experts said that people should not assume that the leak is not important because it did not include text messages or call recordings. The potential exposure of cell tower data is particularly alarming, according to Secure Cyber Defense CEO Shawn Waldman, because it could allow hackers to pinpoint locations based on phone numbers. 

Jake Williams, a former hacker for the National Security Agency, said threat actors have used data from previous compromises to map phone numbers to identities. 

“What the threat actors stole here are effectively call data records (CDR), which are a gold mine in intelligence analysis because they can be used to understand who is talking to who — and when,” he said. 

Williams noted that even those who are not AT&T customers may have some exposure if they work with an MVNO that piggybacks off of AT&T’s network. He also outlined several ways hackers might use the information, including publicizing ties between certain organizations that wanted to keep associations out of public view. 

Threat actors may also use the data to understand who is using SMS-based multifactor authentication. 

CDRs are extremely valuable data, according to ColorTokens vice president Agnidipta Sarkar, because they can reveal where someone lives, who they call more frequently than others and more. 

Others warned that CDRs could allow for phishing attacks, corporate espionage or worse. 

“Imagine a bad actor mapping the communication patterns of executives or government officials. They could identify key relationships, pinpoint vulnerabilities, and craft highly sophisticated attacks,” said DoControl co-founder Omri Weinberg. 

“This goes beyond individual privacy - it's a matter of corporate and national security.”