Since most numbers can be tied to real names, such records illuminate who is close to whom. That would provide a road map for criminals who could impersonate a friend or relative to trick a victim. Texts from financial institutions could be mimicked to get an account holder to divulge passwords, and workplace relationships could reveal the identity of U.S. spies.
“This data could be used by spies, scammers and other bad actors to target specific people or to improve the feasibility of scams by impersonating the numbers of people you regularly call,” said technologist Cooper Quintin of the Electronic Frontier Foundation.
The ability of U.S. intelligence to access similar calling records was one of the most alarming and impactful revelations by federal contractor Edward Snowden a decade ago. Now a large swath of it might be for sale to criminals and other governments.
GET CAUGHT UP
Stories to keep you informed
AT&T said it had not detected the material being made public, and it said one person had been arrested. The company said it learned of the theft in April but delayed disclosing it — as required under recently adopted Securities and Exchange Commission regulations — at the request of law enforcement, for national security or public safety reasons, the first time such a delay has been disclosed.
Justice Department spokesman Joshua Stueve confirmed that the FBI had invoked the legal provision allowing the delay, and said AT&T had aided the investigation. He did not say how the breach could have impacted national security. The Federal Communications Commission said it was also investigating.
While Social Security and credit card numbers were not included in the breach, the identity of cell towers for an undisclosed number of customers was, and those would point to their physical locations.
Even without that location data, hackers could work out relationship webs, experts warned. Someone targeting a criminal prosecutor or police officer might be able to identify a close relative and then use that number to find out where they live. Spurned romantic partners could do the same.
Because those in contact with AT&T users also have their numbers listed, “just about EVERYONE in the US who uses SMS or voice telephony is likely represented to some degree,” tech security expert Matt Blaze wrote on the social media platform Mastodon.
A major concern is that the data could be used to locate U.S. government workers employed abroad, or people communicating with the government, said David Berteau, president of the Professional Services Council, which represents contractors employing security-cleared workers.
“Given what we know now, there is clearly a risk to anybody who has a [security] clearance who might have called anybody who has an AT&T phone. Which is probably anybody with a clearance,” Berteau said.
AT&T said the attack began with illicit access to one of its accounts with a major but low-profile cloud data storage company, Snowflake. More than 100 of that company’s corporate customers have been compromised in the past few months. Snowflake says most if not all of the victims were not using multifactor authentication.
“The incident was limited to an AT&T workspace on Snowflake’s cloud platform and did not impact AT&T’s network,” the phone company said. It said affected consumers would be notified and provided with resources to help protect their information.
“We sincerely regret this incident occurred,” AT&T said. It did not respond to questions about whether the relevant Snowflake account had two-factor authentication.
AT&T generates so much data, and uses it for so many things, that it is closely watched for the technology it picks. AT&T has boasted in Snowflake marketing material that it cut costs by 84 percent when it moved to Snowflake.
But Snowflake has come under heavy criticism from security experts for denying all responsibility for previous data breaches and being slow to aid customers. Related major breaches hit Ticketmaster and Advance Auto Parts.
Snowflake told The Washington Post on Friday that it was still working on a process that would allow customers to require two-factor authentication.
Previous Snowflake customer data dumps have been offered for sale in online criminal forums, indicating that the hackers making the most of the security weakness have been motivated by money.
In an earlier report, one of the security companies hired by Snowflake, Google Cloud’s Mandiant unit, said the hackers had used log-in credentials initially obtained by what are called infostealers — specialized malware that spirits away sensitive data from corporate or personal devices that have been compromised through other means.
Mandiant said that some of the infected devices had downloaded games or pirated software, a common vector for malware.
The hack marks the latest large-scale security incident for AT&T. In late March, the company disclosed that account information from 73 million current and former customers had been leaked to the dark web.
The incidents underscore the massive reach of one of America’s largest wireless carriers and the vulnerability of calling data. Privacy advocates noted that smartphone apps are less likely to face similar breaches and that some, such as WhatsApp and Signal, offer full end-to-end encryption, meaning that no one can obtain contents of a message unless they have access to a device participating in the conversation.
They also urge consumers to use an app for authenticating themselves to a bank or other service provider, instead of text messages that can be intercepted.
AT&T said “nearly all” of its wireless customers had been affected. An employee speaking on the condition of anonymity for discussing private information said about 110 million wireless customers had data exposed.
Brad Jones, the chief information officer at Snowflake, said the company hasn’t seen evidence that Snowflake itself was breached, though it has confirmed a “targeted threat campaign” against some customers.
“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” Jones said, adding that this was confirmed by Mandiant and CrowdStrike.
AT&T said the hack wouldn’t be material to its operations or negatively impact its financial results.