US telecom giant AT&T disclosed that hackers had stolen call records for tens of millions of its customers. In a surprising twist, the company paid a member of the hacking team more than $300,000 to delete the stolen data and provide proof of deletion.
The hacker, who is part of the notorious ShinyHunters group known for stealing data through unsecured cloud storage accounts, confirmed to WIRED that AT&T paid the ransom in May.
Blockchain records verify a payment of approximately 5.7 bitcoin (worth $373,646 at the time) was made on May 17. The funds were then laundered through various cryptocurrency exchanges and wallets.
Hackers Exploited Poorly Secured Snowflake Accounts
AT&T learned of the breach in April through a security researcher known as Reddington. Another hacker, believed to be John Erin Binns, had contacted Reddington claiming to have obtained call logs of millions of AT&T customers by accessing a poorly secured Snowflake cloud storage account.
AT&T is one of over 150 companies believed to have had data stolen from Snowflake accounts that lacked proper multi-factor authentication during a hacking spree in April and May. Other notable victims include Ticketmaster, Santander, LendingTree, and Advance Auto Parts.
Stolen Data Included Call Metadata and Cell Site IDs
The stolen AT&T data comprised call and text messaging metadata, but not the content of communications or customer names, according to AT&T’s SEC filing. However, the hackers claimed they could easily identify phone owners using reverse-lookup programs.
The breach affected nearly all AT&T cellular customers and customers of other carriers who communicated with them between May and October 2022, and on January 2, 2023. Landline numbers were also impacted.
The data included communication dates, call durations, and in some cases, cell site IDs that could reveal a phone’s general location.
Although AT&T learned of the breach in April, it only disclosed it publicly on Friday after receiving exemptions from the Department of Justice to delay notification.
The FBI had wanted to assess potential national security or public safety risks before the breach was revealed.
William Wright, CEO of Closed Door Security, told Cyber Press, “The attacks on Snowflake customers have impacted the data of millions of individuals.
However, the loudest alarm bells are coming from reports that AT&T actually paid a ShinyHunters threat actor hundreds of thousands of dollars to delete its data.
As one of the world’s leading telco providers, this is an action few would expect. AT&T should be setting the bar for security, not funding threat actors.
Most large enterprises would want to avoid this at all costs as it sends a very bad message to the criminal world and can seriously harm reputations.
Let’s just hope the attacker keeps their end of the bargain.”
Hacker Arrested in Turkey for Unrelated T-Mobile Breach
In an odd twist, Binns, the alleged mastermind behind the AT&T breach, was arrested in Turkey in May for an unrelated 2021 hack involving T-Mobile data. Binns, a US citizen living in Turkey, was indicted in 2022 on 12 counts related to the T-Mobile breach affecting over 40 million people.
Despite AT&T’s payment to delete the stolen data, some customers may still be at risk as others might possess portions of the data. The incident highlights the growing threat of hackers exploiting vulnerabilities in cloud storage systems to steal sensitive information from major corporations.
Follow us on LinkedIn for Exclusive Security Research and Updates.