Hackers successfully stole the phone records of “nearly all” AT&T customers and an unnamed number of MVNO subscribers. AT&T has disclosed the incident to regulators and is working with law enforcement to rectify the situation. One suspect has already been apprehended for their alleged involvement.
Basic call and text records from mid-2022 and early 2023 were exposed in this breach. These records include inbound and outbound phone numbers, call duration, and, in some cases, location data (based on cellular tower ID numbers). Critical information, such as social security numbers, birthdays, or the contents of calls and texts, was not exposed.
The data leak extends to all MVNOs that utilize AT&T’s network. This includes Boost Infinite, Consumer Cellular, Cricket Wireless, Straight Talk, TracFone, and more.
However, AT&T itself was not the target of this attack. Hackers stole the phone records from Snowflake, a cloud storage and data analysis company that has grown notorious for its questionable security practices. Snowflake is the source of the recent Ticketmaster and Neiman Marcus data leaks, and it may be involved in security incidents that are yet to be disclosed.
AT&T hasn’t explained why customer phone records were in the hands of a third-party data analysis company. I suspect that this will become a pain point for those who are affected by the incident.
“Our investigation found that the downloaded data included phone call and text message records of nearly all of AT&T cellular customers from May 1, 2022 to October 31, 2022 as well as on January 2, 2023. These records identify other phone numbers that an AT&T wireless number interacted with during this time, including AT&T landline (home phone) customers. For a subset of the records, one or more cell site ID numbers associated with the interactions are also included.”
The long-term impact of this breach is unclear. While basic phone records can’t be used to commit identity theft, they could enable targeted phishing or harassment campaigns. A criminal may attempt to impersonate someone you regularly call and text, for example, or they may attempt to blackmail you with your embarrassing call history (the phishing threat is relevant to everyone, while blackmail is more of a concern for public figures).
As for whether the stolen phone records have been traded on the dark web—we don’t know. It may be too early to make any definitive statements on this particular point, though AT&T believes that hackers haven’t made the stolen data public.
AT&T discovered this breach on April 19th after a “theft actor” bragged about stealing call logs. Due to the scale of this incident, the U.S. Department of Justice ruled that AT&T should delay its public disclosure by more than 60 days. Delayed disclosures are permitted under SEC Form 8-K, though a delay of more than 30 days is described as an “extraordinary circumstance.”
For reference, this is the second data breach that AT&T has disclosed in 2024. The previous data breach, which exposed customers’ social security numbers, is unrelated to today’s incident.
Approximately 110 million AT&T customers will be notified of this breach. Those who are affected (basically all AT&T cellular customers) should continue following common cybersecurity practices as described in AT&T’s public notice. Law enforcement has apprehended a suspect and is working to arrest others who were involved in this incident.
