AT&T Breach Affected Millions

AT&T confirmed that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform in April impacting nearly all its wireless customers and customers of MVNOs. Snowflake has since confirmed that the breach was connected to the hack that’s impacted other customers, such as Ticketmaster, Santander, Neiman Marcus, and LendingTree.

AT&T’s Statement

“We learned that AT&T customer data was illegally downloaded from our workspace on a third-party cloud platform. We started an investigation and engaged leading cybersecurity experts to help us determine the nature and scope of the issue. We have confirmed the access point has been secured.

Our investigation found that the downloaded data included phone call and text message records of nearly all of AT&T cellular customers from May 1, 2022 to October 31, 2022 as well as on January 2, 2023. These records identify other phone numbers that an AT&T wireless number interacted with during this time, including AT&T landline (home phone) customers. For a subset of the records, one or more cell site ID numbers associated with the interactions are also included.

At this time, we do not believe the data is publicly available. We continue to work with law enforcement in their efforts to arrest those involved. Based on information available to us, we understand that at least one person has been apprehended.”

How Hackers Gained Initial Access

Hackers initially obtained stolen credentials from dark web services. These credentials included usernames, passwords, and authentication tokens captured by malware.

Exploiting Third-Party Weaknesses

The attackers then gained access through a third-party contractor, EPAM Systems, which had legitimate access to the AT&T workspace on Snowflake. By compromising this contractor, they leveraged existing permissions to infiltrate the system.

Moving Within the Network

Once inside, the attackers escalated their privileges by exploiting vulnerabilities or using compromised credentials with higher access levels. They navigated the network using these credentials to access different parts of the AT&T workspace.

Data Exfiltration Over Eleven Days

Between April 14 and April 25, 2024, the threat actors systematically extracted files containing customer call and text interaction records from May 1 to October 31, 2022, and January 2, 2023.

The Extent of the Data Stolen

The stolen data included telephone numbers, counts of interactions, and aggregate call duration. Some records also had cell site identification numbers, potentially revealing customer locations during calls or texts.

“The threat actors have used data from previous compromises to map phone numbers to identities,” Jake Williams, former NSA hacker and faculty at IANS Research, said. “What the threat actors stole here are effectively call data records (CDR), which are a gold mine in intelligence analysis because they can be used to understand who is talking to who — and when.”

Scope and Impact

The breach affected nearly all AT&T wireless customers and MVNO customers, as well as other companies using Snowflake, such as Ticketmaster and Santander. Although it did not include call or text content or personal information, the call data records (CDRs) are highly valuable for intelligence analysis.

Risks and Consequences

The breached data increases the risk of phishing, smishing (SMS phishing), and online fraud. Users are advised to be vigilant and only open messages from trusted sources.

Who Are the Perpetrators?

The threat actors are linked to a financially motivated group named UNC5537, which includes members based in North America and collaborates with an additional member in Turkey. John Binns, a 24-year-old U.S. citizen previously arrested in Turkey, is associated with this incident.

Enhancing Security to Prevent Future Breaches

Credential Management

To enhance security and mitigate risks associated with standing privileges, it is crucial to implement the use of temporary credentials for third-party access. This approach involves generating dynamic secrets that provide access only for the duration needed, significantly reducing the window of opportunity for unauthorized access.

Dynamic secrets, also known as Just-In-Time (JIT) access, are generated on-the-fly and expire after a short period. This methodology ensures that credentials are valid only for the specific task and timeframe required, effectively eliminating standing privileges that can be exploited if compromised. By adopting this strategy, organizations can better safeguard sensitive resources and comply with best practices for secure access management.

For instance, when a third party needs access to a system, a temporary credential is created with limited permissions and a defined expiration time. This credential is revoked automatically once the task is completed, ensuring that no unnecessary access persists. Implementing such a system not only improves security but also simplifies auditing and compliance efforts.

Secrets Management

Secrets management helps prevent breaches by securely storing and dynamically managing sensitive information such as passwords, API keys, and encryption keys. By centralizing the control of these secrets, organizations can minimize the risk of unauthorized access and ensure that secrets are not hardcoded into applications or stored in unsecured locations. Automated secrets rotation and access control policies further reduce the risk of credential theft or misuse. Additionally, audit logs provide visibility into who accessed which secrets and when, enabling rapid detection and response to potential security incidents. This comprehensive approach to managing secrets significantly reduces the attack surface and enhances overall security posture.

Mandatory MFA

Enforcing MFA for all accounts adds an extra layer of security, making it significantly harder for attackers to gain access using stolen credentials alone.

Privileged Access Management (PAM)

Implementing PAM ensures only authorized users have access to sensitive systems and data. Limiting high-level access reduces the risk of lateral movement within the network.

Certificate and Key Management

Properly managing digital certificates and encryption keys ensures secure communication between systems and makes it harder for attackers to intercept and manipulate data.

Monitoring and Alerts

Robust monitoring and alerting systems can detect and respond to suspicious activity related to keys, certificates, or credentials quickly.

Why Akeyless Secrets Management is Essential

By understanding the hacker methods in the AT&T breach, you can take proactive steps to secure your enterprise. Akeyless Secrets Management provides the comprehensive protection you need to defend against unauthorized access and ensure the safety of your data.

Discover how we can help you at our resource center or book a call with one of our expert consultants today.

The post AT&T Data Breach: What Happened and How to Prevent It from Happening to Your Enterprise appeared first on Akeyless.

*** This is a Security Bloggers Network syndicated blog from Blog | Akeyless authored by AnneMarie Avalon. Read the original post at: https://www.akeyless.io/blog/att-data-breach-what-happened/