AT&T Data Breach Impacts Whopping 109 Million: Are You At Risk?

The AT&T data breach in July 2024 has sent shockwaves across the cybersecurity community, affecting a staggering 109 million customers. This data breach has raised significant concerns about the safety and security of the customer’s personal data, emphasizing the pressing need for robust cybersecurity measures, not just for small organizations but also for industry giants.

How Did AT&T Data Breach Happen?

AT&T has reported a significant data breach in which threat actors accessed the call logs of around 109 million customers, representing nearly all of its mobile clientele, from an online database on the company’s Snowflake account. The company confirmed that the breach occurred between April 14 and April 25, 2024. According to a Form 8-K filing with the SEC on Friday morning, AT&T disclosed that the stolen data encompasses call and text records of nearly all AT&T mobile clients as well as customers of mobile virtual network operators (MVNOs) for the period from May 1 to October 31, 2022, and on January 2, 2023.

With reportedly the US Department of Justice’s permission (and twice granted to AT&T, on 9 May 2024 and 5 June 2024 due to what the notice termed ‘potential risks to national security and public safety’), the carrier got to delay public disclosure. “We have an ongoing investigation into the AT&T breach and we’re coordinating with our law enforcement partners,” the Federal Communications Commission (FCC) said on X (formerly Twitter).

We have an ongoing investigation into the AT&T breach and we’ re coordinating with our law enforcement partners.— The FCC (@FCC) July 12, 2024

Potential Impact of AT&T Data Breach

The AT&T data breach exposed the sensitive personal information of 109 million individuals at risk. This includes a wide array of data, including telephone numbers of AT&T wireline customers and those of other carriers, along with the numbers that interacted with AT&T or MVNO wireless numbers. It also involves the count of interactions (e.g., calls or texts), aggregate call duration for a day or month, and, for some records, one or more cell site identification numbers. Notably, the exposed data did not contain the content of the calls or texts, customer names, or other personal information like Social Security numbers or dates of birth.

The sheer magnitude of this breach underscores that in the current threat landscape, not even industry giants can escape cyber attacks. This also underscores the urgent need for proactive cybersecurity strategies to safeguard against large-scale threats. While the accessed communication logs contain no sensitive information that clearly identifies customers, they can potentially be used to track customers through other publicly accessible information, perhaps ultimately identifying them in many cases.

In the wake of the AT&T data breach, which potentially exposed the information of 109 million of its customers, users are now living with these threats lurking in the background. The potential threat for those affected by this security breach is increased risk to their identity, privacy and security. This information is now in the hands of fraudsters, who could use it for numerous purposes: scammers could craft an advanced social engineering attack aimed at the exposed users or sell it in the lucrative hacker black markets of the dark web.

The consequences of a security breach don’t end with the initial breach – rather, they tend to linger as users endure an increased vulnerability to threats to their digital persona. AT&T customers should check their accounts for potential unusual activity. The most fearful should consider a credit freeze or identity theft protection services. The AT&T data breach comes at a time when AT&T recently faced a massive outage across the US.

The Snowflake Data Breach FallOut

AT&T says that its data was stolen in the aftermath of a Snowflake data breach. Earlier this month, on 5 March, many distinct targets, including Zoom, Accenture, Talentz, OKCupid, and Zendesk, had their accounts compromised at Snowflake, a company that lets customers perform data warehousing and data analytics on massive datasets at scale on cloud infrastructure.

Earlier this year, Mandiant disclosed that the UNC5537 group was behind a series of attacks against Snowflake data breach. According to the report, the threat campaign aimed to steal data and extort Snowflake customer database instances. Snowflake is a multi-cloud data warehousing platform designed to store and analyze large amounts of structured and unstructured data. The threat actor, identified as UNC5537 by Mandiant, is believed to have already stolen a significant volume of records from Snowflake customer environments. This actor gains access to Snowflake customer instances using stolen credentials, seeks to sell victim data on cybercrime forums, and tries to extort the victims.

“UNC5537” is a financially motivated threat actor that has been identified as responsible for the recent campaign targeting cloud provider Snowflake’s customer database instances. To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organizations. AT&T has just been added to a growing list of high-profile victims of the snowflakes data breach, which now includes Advance Auto Parts, Pure Storage, QuoteWizard (LendingTree), Los Angeles Unified, Neiman Marcus, Live Nation (TicketMaster), and  Santander Bank.

Since then, Snowflake also provides a mandatory multi-factor authentication (MFA) enforcement option for workspace admins to protect against easy take-overs, resulting in data breaches that might affect millions of people.

Snowflake Data Breach IOCs – UNC5537

According to Mandiant Intelligence, the following are the IOCs that are related to UNC5537 that claimed responsibility for the Snowflake data breach:

• 102[.]165[.]16[.]161
• 104[.]129[.]24[.]115
• 104[.]129[.]24[.]124
• 104[.]223[.]91[.]28
• 146[.]70[.]117[.]210
• 146[.]70[.]117[.]56
• 146[.]70[.]119[.]24
• 146[.]70[.]124[.]216
• 146[.]70[.]165[.]227
• 146[.]70[.]166[.]176
• 146[.]70[.]171[.]112
• 146[.]70[.]171[.]99
• 154[.]47[.]30[.]137
• 154[.]47[.]30[.]150
• 162[.]33[.]177[.]32
• 169[.]150[.]201[.]25
• 169[.]150[.]203[.]22
• 169[.]150[.]223[.]208
• 173[.]44[.]63[.]112
• 176[.]123[.]3[.]132
• 176[.]123[.]6[.]193
• 176[.]220[.]186[.]152
• 184[.]147[.]100[.]29
• 185[.]156[.]46[.]144
• 185[.]156[.]46[.]163
• 185[.]204[.]1[.]178
• 185[.]213[.]155[.]241
• 185[.]248[.]85[.]14
• 185[.]248[.]85[.]59
• 192[.]252[.]212[.]60
• 193[.]32[.]126[.]233
• 194[.]230[.]144[.]126
• 194[.]230[.]144[.]50
• 194[.]230[.]145[.]67
• 194[.]230[.]145[.]76
• 194[.]230[.]147[.]127
• 194[.]230[.]148[.]99
• 194[.]230[.]158[.]107
• 194[.]230[.]158[.]178
• 194[.]230[.]160[.]237
• 194[.]230[.]160[.]5
• 198[.]44[.]129[.]82
• 198[.]44[.]136[.]56
• 198[.]44[.]136[.]82
• 198[.]54[.]130[.]153
• 198[.]54[.]131[.]152
• 198[.]54[.]135[.]35
• 198[.]54[.]135[.]67
• 198[.]54[.]135[.]99
• 204[.]152[.]216[.]105
• 206[.]217[.]205[.]49
• 206[.]217[.]206[.]108
• 37[.]19[.]210[.]21
• 37[.]19[.]210[.]34
• 45[.]134[.]140[.]144
• 45[.]134[.]142[.]200
• 45[.]155[.]91[.]99
• 45[.]27[.]26[.]205
• 45[.]86[.]221[.]146
• 5[.]47[.]87[.]202
• 66[.]115[.]189[.]247
• 66[.]63[.]167[.]147
• 79[.]127[.]217[.]44
• 87[.]249[.]134[.]11
• 93[.]115[.]0[.]49
• 96[.]44[.]191[.]140

Are You At Risk from AT&T Data Breach? What Should AT&T Customers Do?

If you’re an AT&T customer, you may be pondering your vulnerability following the data breach.

• Customers should look for direct communication from AT&T regarding the breach, as it will include essential information and the next steps rather than believing rumours. Checking your accounts for any irregular activity is crucial.
• Equally important is changing passwords, especially if you’ve employed the same password across multiple services.
• AT&T users should also be extra cautious of unsolicited communications asking for personal information, as these could be phishing attempts capitalizing on the breach.
• Vigilance is key, as is arming oneself with information on how to respond to potential identity theft.
• You should be wary of any phone call or text from someone claiming to be your service provider asking you to provide personal, account or credit card details.
• If you suspect you are a target of fraud on your AT&T wireless number, report it to AT&T’s fraud team.

See our recent article “How Can Cyber Attacks Be Prevented in 2024?” to understand various measures you can take to prevent cyber attacks.

For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.

Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.