Telecommunications big AT&T has revealed that buyer knowledge has been illegally downloaded by risk actors.
Hackers have downloaded the information from AT&T’s its workspace on a third-party cloud platform, the corporate confirmed in a press release printed on July 12.
In keeping with a submitting with the US Securities and Alternate Fee (SEC), the corporate first realized that decision logs had been accessed and copied unlawfully on April 19, 2024.
AT&T confirmed that, primarily based on an investigation, the information contains information containing AT&T information of calls and texts of practically all of AT&T’s mobile prospects, prospects of cell digital community operators (MVNOs) utilizing AT&T’s wi-fi community, in addition to AT&T’s landline prospects who interacted with these mobile numbers between Might 1, 2022, and October 31, 2022.
The compromised knowledge additionally contains information from January 2, 2023, for a really small variety of prospects.
“The breach towards AT&T is large and will definitely fear any buyer whose knowledge has been leaked. Prospects ought to train excessive warning and be looking out for any potential phishing assaults or different kinds of fraud. With the kind of knowledge stolen, SMS phishing might be significantly prevalent,” stated Christiaan Beek, Senior Director Menace Analytics, Rapid7.
Whereas the information doesn’t include the content material of calls or texts, information establish the phone numbers an AT&T or MVNO mobile quantity interacted with through the durations talked about.
The corporate additionally doesn’t consider any personally identifiable data, similar to social safety numbers and dates of start, has been affected. On the time, the corporate issued a press release saying it didn’t consider that the information is publicly obtainable. Operations at AT&T haven’t been affected.
Within the SEC submitting, AT&T stated it has taken extra cybersecurity measures in response to this incident, together with closing off the purpose of illegal entry. AT&T will notify present and former impacted prospects.
This newest AT&T knowledge breach is just not associated to an earlier incident which noticed 73 million buyer and former buyer information marketed on a darkish internet market in April.
Snowflake On the Supply of the AT&T Breach
Studies counsel that the third-party cloud supplier affected was Snowflake.
Elliott Wilkes, CTO of Superior Cyber Defence Programs (ACDS), commented: “This breach seems to be the results of an attacker exfiltrating AT&T knowledge saved in a Snowflake account, including over 100 million affected prospects to an already staggering quantity of information leaked from Snowflake accounts. It’s doable that the Snowflake assault would possibly find yourself as one of many largest knowledge breaches so far.”
Knowledge warehousing platform Snowflake has been on the heart of a spate of information thefts affecting its customers.
This contains Ticketmaster, which confirmed unauthorized exercise inside a third-party cloud database atmosphere containing firm knowledge earlier in June 2024.
So far, over 160 organizations utilizing snowflake have been notified that they’ve probably been uncovered.
In Mandiant’s evaluation of the Snowflake incident, it recognized financially motivated risk actor, named UNC5537, as promoting stolen knowledge on the market on cybercrime boards from some victims.
Mandiant researchers stated that UNC5537 is “systematically” compromising Snowflake buyer cases utilizing stolen buyer credentials.
In June, Jake Williams, former US Nationwide Safety Company (NSA) hacker and School member at IANS Analysis, urged organizations to construct a listing of any knowledge they’ve in Snowflake. They need to even be aggressively rotating/invalidating authentication materials, together with API keys and entry tokens, which will have discovered its manner right into a Snowflake occasion, particularly ones managed by a 3rd occasion.
Williams additional suggested that whether or not your corporation is a Snowflake buyer or not, vendor administration groups should be reaching out to service suppliers to ensure they’re conscious of this difficulty.
“Ask in case your knowledge is in one in all their Snowflake cases. Additionally ask whether or not they can affirmatively state that any of your knowledge shared with different events is just not in a Snowflake occasion,” he stated.
MFA within the Highlight
An absence of multi-factor authentication (MFA) was not enabled in lots of Snowflake incidents, which means profitable authentication solely required a legitimate username and password.
“Software program distributors, cloud and infrastructure suppliers, expertise corporations and the like must urgently implement MFA by default,” Wikes stated. “This should not be a premium characteristic with added price however commonplace safety, desk stakes for placing your merchandise available on the market.”
In an replace in June, Brad Jones, CISO at Snowflake, stated that the corporate is growing a plan to require its prospects to implement superior safety controls, MFA or community insurance policies.
