Pierluigi Paganini
July 15, 2024
An American hacker who lives in Turkey claimed responsibility for the recently disclosed AT&T data breach. The man also said the company paid a ransom to ensure that stolen data would be deleted, reported Wired.
On Friday, the telco giant disclosed a new data breach that exposed phone call and text message records for approximately 110 million people.
The stolen data was stolen on a database hosted by the company’s Snowflake, reported Techcrunch quoting an AT&T spokesperson.
On April 19, 2024, the company learned that a threat actor claimed to have stolen the call logs and immediately activated its incident response procedure with the help of external cybersecurity experts.
The company immediately notified law enforcement, and the US Department of Justice allowed AT&T to delay the public disclosures of the incident on May 9, 2024 and June 5, 2024.
The telco giant pointed out that stolen data does not contain call or text content, Social Security numbers, birth dates, or other personal information.
“Based on its investigation, AT&T believes that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023, as described below.” reads the Form 8-K filling with the SEC.
“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network. These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”
The company warned that metadata included in some of the compromised logs could allow threat actors to correlate them with third-party information, potentially identifying customers’ users.
Wired first reported that AT&T paid a ransom of 5.7 Bitcoin (approximately $370,000 at the time of the transaction) in May to prevent the stolen data from being leaked. The hacker provided proof of the transaction and Wired confirmed the authenticity of the evidence.
“US telecom giant AT&T, which disclosed Friday that hackers had stolen the call records for tens of millions of its customers, paid a member of the hacking team more than $300,000 to delete the data and provide a video demonstrating proof of deletion.” reported Wired. “The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. WIRED confirmed, through an online blockchain tracking tool, that a payment transaction occurred on May 17 in the amount of 5.7 bitcoin
A security researcher known as Reddington confirmed that AT&T paid a ransom. The hacker initially demanded $1 million but settled for $370,000. Reddington explained that he acted as an intermediary and received a fee from AT&T for his role and provided proof of this payment to WIRED. The hacker provided AT&T with a video as proof of data deletion. AT&T first learned of the breach through Reddington in mid-April when he was contacted by John Erin Binns (the hacker who lives in Turkey), who had accessed call and texting logs of millions of AT&T customers from an unsecured Snowflake cloud storage account. Reddington alerted the security firm Mandiant, which notified AT&T.
AT&T paid the ransom to Binns who allegedly stole “several billions” of records from AT&T.
Reddington said that Binns deleted the data stored in a cloud server that he and a ShinyHunters member could access. AT&T is among over 150 companies that had data stolen from poorly secured Snowflake accounts during the attacks in April and May.
However, Binns was arrested in Turkey in May for the 2021 T-Mobile massive data breach. Then the ransom was received by a ShinyHunters member.
“The hacker who received the payment from AT&T alleges that Binns was responsible for the breach and shared samples of the data with him and others after downloading it. He says he believes Binns allegedly stole “several billions” of records from AT&T, though WIRED was unable to confirm this.” continues Wired. “Reddington understands that the data that was deleted was the only complete dataset taken by the hackers. Reddington says he does not believe the hackers posted the data publicly, though he’s not sure how many people received excerpts of the data Binns allegedly provided or what they did with it.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransom)
