Originally published at: https://boingboing.net/2024/07/13/att-admits-that-hackers-stole-nearly-all-customers-phone-records.html
…
At this time, we do not believe the data is publicly available.
It’s too busy being sold and used to train various evil 'A.I.'s (“but aren’t all A.I.s evil?” “yeah pretty much. After-all Mister Rodgers only wrote down a couple of book’s worth”)
(fun puzzle time: if AT&T has, er had, 100 million customers and everyone of them spent a whole minute of time “safe-guarding” their account as a result of this hack how many ‘human years’ of time lost would that amount to? 190 years)
At this point, they might as well give the last few to the hackers as well.
Freedom’s just another word for nothing left to lose…
I generally avoid leaving my card on file, so these kind of breaches don’t keep me up at night. I try not to think about the service that processes my rent payments with direct debit from my checking account. (and I try to tell myself surely there are other security considerations surrounding that system)
Well, I guess the good news is that I’m only one of 127 million in this instance…
127 million “connected devices” probably doesn’t imply 127 million individual customers. Still sucks for AT&T.
Sucks for their customers, more like. AT&T will face no real consequences for failing to secure their customers’ private information.
The jokes on them if they got my private pictures and account information.
I got a letter from att a while back about a breach but I couldn’t make head or tail of it.
first, I didn’t think I ever was their customer, but then I remembered I bought home internet from them for a few years. no phone. this was sometime between '15 and 20.
I’m no longer at that address and the card I paid with is not only expired but cancelled. I can’t find the letter now. they were cagy about revealing what all was disclosed; you know, “may include.” but maybe my SSN is on there? I don’t remember if it was required at sign up. maybe my browsing history was stolen? can they get my logins and passwords? I have a different bank now, too but google account and maybe amazon were in use then?
anyone know about this stuff? today’s news is apparently a second breach but I was never a phone customer.
I don’t guess there’s much I could do in any event?
I’ve not had a chance to review it yet(only AT&T lines are work-related and I’m not hassling with that until monday); but one of the comments on the Arstechnica story provided a breakdown of what they received:
Not hugely unexpected; but bad: AT&T notes that “The data included aggregated counts of calls and texts and aggregated duration of calls over periods of time, and these are not included in the report” so the unknown third party has activity volumes; they’ve got interaction dates between numbers; and “daytime tower code” and “evening tower code” might as well be “where do you work” and “where do you live” in the bulk of cases.
But luckily no social security numbers; so nothing personal, man.
FTA
Investigators at Mandiant believe affected Snowflake customers didn’t have multifactor authentication enabled on their accounts. Snowflake has since made MFA mandatory for all instances.
We asked AT&T if it had forgotten to enable MFA on its Snowflake account, and that question went unanswered.
In other words, “yeah”. MFA won’t solve every problem like this, but it will hugely reduce the odds of it being successful.
There’s a saying about security: you need to be secure 100% of the time while an attacker only needs to be successful once.
ETA
Based on what I’m reading it looks like the data they have is basically the same as what appears in someone’s bill where you can see every call and SMS, along with some other metadata. I’d guess it’s some sort of log storage for billing or diagnostics.
It may not have names or addresses but phone numbers can easily be looked up and associated with a name and address. With tower location metadata you can build all kinds of highly personalized social graphs about individuals and their activities. How long does someone spend at a particular location? Who are they calling/texting? For how long? Where are they traveling from/to?
It also affects non-AT&T customers since you see the destination phone number which can be used in all kinds of nefarious ways. It’d obviously be even worse if the second party was an AT&T customer since you could just keep on building the graph out until you hit a dead end of a non-AT&T customer but you could still find out who they are.
This is the issue. A phone number is a pretty identifying piece of information and this doesn’t affect only AT&T customers. If you have called someone else that uses AT&T, your number is probably in there too. The leak connects people to each other. Given the entire database, you could even determine degrees of separation between people. It’s also going to be handy for scammers spoofing numbers that you have communicated with before.
… except maybe star in an action movie where we steal our information back from the thieves
Snowflake is a cloud-based data warehouse used by businesses primarily for analytics, reporting, business intelligence, marketing and other things like that. While the data store may have years worth of historical account and usage information, it would not contain personally identifiable data like bank accounts, SSNs or credit card info unless AT&T was exceptionally irresponsible by storing that stuff in their warehouse. User data like photos, files or logins isn’t stored by AT&T in the first place so there’s no chance of that being compromised in this breach.
Ironically, the Ticketmaster breach was also related to compromised Snowflake credentials - but unlike AT&T, the data they were keeping in their warehouse included user data which does contain PII and billing information. Storing that kind of data in a database unencrypted is a serious no-no from an InfoSec perspective.
I’m more concerned about the notice I got from Ticketmaster 2 days ago that told me my credit card information was exposed. I think that credit card is expired though. I really should log on and check.
I’m not worried about text messages or phone records or at least I don’t think I’m worried.
I’ve made it a pretty strict policy that I will never text or email anything that would get me in trouble if the other party showed or forwarded any of my messages.
I occasionally send my wife Dick pictures though.
thanks man
If this data is publicly released, it will be a treasure trove for stalkers and abusers. And the forced birther zealots. They can start harassing any number that shows activity at a tower near an abortion clinic.
It’s good there isn’t SSNs or credit card info. But this is still very bad