American telecommunications giant AT&T disclosed that it has paid ransom to hackers to the tune of $370,000 in cryptocurrency for recovering the call records of tens of millions of its customers. The hackers belong to the notorious hacking group known as ShinyHunters, who gained access to the information through an unsecured Snowflake cloud storage account.
The breach, which affected nearly all AT&T wireless customers and subscribers of numerous MVNOs that use the network of AT&T, was discovered in April. According to AT&T, the hackers exfiltrated files containing customer call and text interactions which took place from May 1 to October 31, 2022, and on January 2, 2023. Telephone numbers, interaction counts, and aggregate call durations were involved. Some of the records even had cell site identification numbers that would allow hackers to locate a customer’s location at given instances of call or text.
AT&T further disclosed that it had discovered the intrusion on April 19, 2024, and had already launched its response procedures. The company is cooperating with law enforcement authorities; at least one man, a 24-year-old American citizen named John Binns, has been arrested so far in connection with the cyber attack. Binns had earlier been arrested in Turkey in May 2024 and was charged by the US, separately, with hacking T-Mobile in 2021 and selling its customer data.
The hackers had initially demanded $1 million from AT&T but ended up receiving $370,000. The payment was made in May with the hacker posting a video as proof of data deletion. This was corroborated by many sources, including blockchain tracking tools and security researchers.
However, AT&T explained that the purloined data did not include the content of calls or texts, or personally identifiable information, such as Social Security numbers and dates of birth. Despite this, a warning was issued since it is possible that using publicly available online tools, the data could be used to map phone numbers to identities.
This exposes as many as 165 customers of Snowflake, some of them being major companies like Ticketmaster, Santander, Neiman Marcus, and LendingTree. Google-owned Mandiant attributed the activity to a financially motivated threat actor it dubbed UNC5537, which includes members based in North America who work in conjunction with another member located in Turkey.
To this, Snowflake has noted that administrators will now be able to enforce mandatory multi-factor authentication (MFA) for all users in an attempt to lower the risk of an account takeover. It further added that it will mandate MFA for all users within newly created Snowflake accounts.
The U.S. Federal Communications Commission has opened an investigation into the AT&T breach and is continuing to cooperate fully with law enforcement agencies in this matter. AT&T has warned customers to be on guard against phishing, smishing, and impaired online fraud, advising that customers open only text messages from trusted senders.
Considering this incident, there is no denying that cybercrime has grown as a big concern and, simultaneously, shows just how far companies need to go in protecting their data and ensuring their clients’ privacy. As fallout from this cybercrime spree continues to spread, it reminds us how vulnerable we are in today’s digital landscape.