Crooks broke into AT&T email accounts to empty their cryptocurrency wallets

Threat actors are gaining access to AT&T email accounts in an attempt to hack into the victim’s cryptocurrency exchange accounts.

Hackers are breaking into the AT&T email accounts and then using the access they are logging into the victim’s cryptocurrency exchange accounts to drain their crypto funds, TechCrunch reported.

Crooks are targeting people who have att.net, sbcglobal.net, bellsouth.net and other AT&T email addresses. Some users with AT&T email addresses wrote on Reddit that they have been hacked, and some of them claim they had the same issue for months.

TechCrunch’s sources speculate the hackers have access to a part of AT&T’s internal network, then they exploited an API bug that allows them to take control of victims’ email addresses.

“According to the tipster, the hackers are able to do that because they have access to a part of AT&T’s internal network, which allows them to create mail keys for any user. Mail keys are unique credentials that AT&T email users can use to log into their accounts using email apps such as Thunderbird or Outlook, but without having to use their passwords.” reads the post published by TechCrunch.

Once obtained the victim’s mail key, attackers can use an email app to log into the target’s account and use the access to reset passwords for online services used by the target, including cryptocurrency exchanges. At this time it is still unclear the number of impacted users-

The sources also shared with TechCrunch a list of alleged victims and two of them confirmed they have been hacked, one of them told revealed that hackers stole $134,000 from his Coinbase account.

AT&T spokesperson Jim Kimberly told TechCrunch that the company is aware of the security breaches, she also added that they have “identified the unauthorized creation of secure mail keys, which can be used in some cases to access an email account without needing a password.”

The carrier has adopted security measures to prevent similar attacks, it also forced a password reset on some email accounts.

TechCrunch reported that a cybercrime gang claims to have access to the entire AT&T employee database, which can allow them to access an internal AT&T portal for employees called OPUS.

At the time of this writing, AT&T is denying that its portal was compromised by hackers.

In August 2021, ShinyHunters group claimed to have a database containing private information on roughly 70 million AT&T customers, but the company denies that they have been stolen from its systems.

Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AT&T)