Hackers stole ‘nearly all’ call logs over six months from AT&T

Metadata from “nearly all” call logs and texts made by AT&T customers over a six-month period in 2022 was stolen by hackers who breached the telecom’s data storage platform in April.

AT&T filed documents with the Securities and Exchange Commission (SEC) on Friday that said the company learned of the incident on April 19. It confirmed to Recorded Future News that the breach occurred through the third-party cloud platform Snowflake — a data storage giant that has been beset by hackers who have targeted some of the company’s most prominent clients and leaked documents on hundreds of millions of people. 

An investigation revealed the hacker exfiltrated files from AT&T’s account on Snowflake between April 14 and April 25. 

“The incident was limited to an AT&T workspace on Snowflake’s cloud platform and did not impact AT&T’s network,” a company spokesperson said. 

When asked why the hacker was able to access the Snowflake account for nearly a week after AT&T discovered the issue, the spokesperson said it “took time to investigate the claim of a breach, determine its source, isolate the impacted data, and close off the illegal access point.”

The spokesperson said the hackers stole “aggregated metadata” about calls or texts and not the content of the conversations. AT&T has the most wireless subscribers in the U.S., far outpacing its rivals Verizon and T-Mobile.

A 2022 annual report showed that about 109 million people had accounts affected by the incident.

The telecom giant believes the hacker exfiltrated “files containing AT&T records of customer call and text interactions” from approximately the start of May 2022 until the end of October, as well as on January 2, 2023.

The breach involved “records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (MVNO) using AT&T’s wireless network.”

“These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month,” the company said in the SEC filing. 

“For a subset of records, one or more cell site identification number(s) are also included. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”

AT&T pledged to notify current and former customers and said it has closed off the point “of unlawful access.” At least one person involved in the theft has been arrested, the company said in the filing. 

The FBI told Recorded Future News that AT&T contacted them after identifying the breach. The company was granted an exemption to public reporting requirements by the Department of Justice due “potential risks to national security and/or public safety,” the FBI said.

An FBI spokesperson said the agency worked with AT&T and the Justice Department on two separate disclosure delays in order to help the telecom with its incident response.

AT&T is one of the first companies to publicly acknowledge obtaining an exemption from the Justice Department that allows them to delay filing documents with the SEC. The measure to allow for delays was a key part of controversial new SEC rules mandating the disclosure of cyber incidents. 

AT&T confirmed that it successfully obtained delays from the DOJ on May 9 and June 5 and that it used the extra time to work with law enforcement agencies “in its efforts to arrest those involved in the incident.”

A spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) said they are also working with AT&T to assess the impact. The spokesperson also urged organizations to enforce multifactor authentication — something experts have pointed to as a concern considering the hackers used only stolen login information to access Snowflake accounts. 

The April incident is the latest in a string of attacks on AT&T involving customer data. Earlier this year, it confirmed that a data set with the information of 73 million current and former customers is legitimate nearly two weeks after a hacker offered it on a dark web criminal marketplace. 

In 2023, another 9 million customers were impacted by a security issue and the company had to resolve a vulnerability that would have allowed anyone to take over someone’s account on ATT.com just by knowing their phone number and ZIP code.

In its SEC filing, the company said it does not believe the latest incident will have any impact on its financial condition. 

At least 165 Snowflake customers have allegedly been attacked by hackers who stole login information to employee accounts on the platform. Those affected include Ticketmaster, Advance Auto Parts, one of the largest school districts in the U.S., Neiman Marcus, Santander, LendingTree and more.