Massive AT&T Data Breach Unleashes Call Logs of 109 Million Customers: Confidentiality at Risk

Imagine the shock of learning that the call logs of nearly all AT&T mobile customers were stolen from an online database. That’s exactly what happened to approximately 109 million customers when threat actors accessed the company’s Snowflake account. The breach occurred between April 14 and April 25, 2024, and we’re here to give you the details.

In a Form 8-K filing with the SEC, AT&T revealed that the stolen data contains call and text records of nearly all AT&T mobile clients and customers of mobile virtual network operators (MVNOs) made from May 1 to October 31, 2022, and on January 2, 2023.

The stolen data includes:

• Telephone numbers of AT&T wireline customers and customers of other carriers.
• Telephone numbers with which AT&T or MVNO wireless numbers interacted.
• Count of interactions (e.g., the number of calls or texts).
• Aggregate call duration for a day or month.
• For a subset of records, one or more cell site identification numbers.

Thankfully, the exposed records did not contain the content of the calls or texts, customer names, or any other personal information such as Social Security numbers or dates of birth. However, the communications metadata can still be used to correlate them with publicly available information, potentially revealing identities in many cases.

AT&T took action as soon as they learned of the breach, working with cybersecurity experts and notifying law enforcement. The US Department of Justice granted permission twice, on May 9, 2024, and June 5, 2024, to delay public notification due to potential risks to national security and public safety.

Moreover, AT&T is working with law enforcement to apprehend those involved in the breach, and at least one person has already been arrested. The company has implemented additional cybersecurity measures to prevent unauthorized access in the future and will notify impacted customers soon.

AT&T customers can check if their phone number’s data was exposed and download the stolen data associated with their number by following the links provided on this FAQ page. As of now, AT&T has no evidence that the accessed data has been made publicly available and says the incident is not related to the 2021 data breach that impacted 51 million customers.

The Snowflake data theft attacks

AT&T confirmed that the data was stolen from its Snowflake account as part of a wave of recent data theft attacks using compromised credentials. Snowflake is a cloud-based database provider that allows customers to perform data warehousing and analytics on large volumes of data.

Last month, Mandiant revealed that a financially motivated threat actor tracked as ‘UNC5537’ was behind multiple attacks against Snowflake customers, using account credentials stolen via infostealer malware. Since then, Snowflake has introduced a mandatory multi-factor authentication (MFA) enforcement option for workspace administrators to protect accounts against easy take-overs leading to data breaches impacting millions of people.

AT&T now joins a list of high-profile victims that includes Advance Auto Parts, Pure Storage, Los Angeles Unified, Neiman Marcus, Ticketmaster, and Banco Santander.

As IT Services experts, we encourage you to stay informed and vigilant about the security of your personal information, and to contact us if you have any questions or concerns. By working together, we can help protect you and your data from the ever-evolving threats that exist in the digital world.