AT&T says hacker stole call records of ‘nearly all’ wireless customers

Since most numbers can be tied to real names, such records illuminate who is close to whom. That would provide a road map for criminals who could impersonate a friend or relative to trick a victim. Texts from financial institutions could be mimicked to get an account holder to divulge passwords, and workplace relationships could reveal the identity of U.S. spies.

The ability of U.S. intelligence to access similar calling records was one of the most alarming and impactful revelations by federal contractor Edward Snowden a decade ago. Now a large swath of it might be for sale to criminals and other governments.

AT&T is the largest cellphone carrier in the United States, according to Statista, with more than 200 million accounts.

AT&T said it had not detected the material being made public, and it said one person has been arrested. The company said it learned of the theft in April but delayed disclosing it — as required under recently adopted Securities and Exchange Commission regulations — at the request of law enforcement for national security or public safety reasons, the first time such a delay has been disclosed.

Justice Department spokesman Joshua Stueve confirmed that the FBI had invoked the legal provision allowing the delay, and said AT&T had aided the investigation. He did not say how the breach could have impacted national security.

While Social Security and credit card numbers were not included in the breach, the identity of cell towers for an undisclosed number of customers was, and those would point to their physical locations.

Even without that location data, hackers could work out relationship webs, experts warned. Someone targeting a criminal prosecutor or police officer might be able to identify a close relative and then use that number to find out where they live. Spurned romantic partners could do the same.

Because those in contact with AT&T users also have their numbers listed, “just about EVERYONE in the US who uses SMS or voice telephony is likely represented to some degree,” tech security expert Matt Blaze wrote on the social media platform Mastodon.

AT&T said the attack began with illicit access to one of its accounts with a major but low-profile cloud data storage company, Snowflake. More than 100 of that company’s corporate customers have been compromised in the past few months. Bozeman, Mont.-based Snowflake says most if not all of the victims were not using multifactor authentication.

“The incident was limited to an AT&T workspace on Snowflake’s cloud platform and did not impact AT&T’s network,” the phone company said. It said affected consumers would be notified and provided with resources to help protect their information.

“We sincerely regret this incident occurred and remain committed to protecting the information in our care,” the company said.

Snowflake has come under heavy criticism from security experts for denying all responsibility for previous data breaches and being slow to aid customers. It told The Washington Post on Friday that it was still working on a process that would allow customers to require two-factor authentication.

Previous Snowflake customer data dumps have been offered for sale in online criminal forums. In an earlier report, one of the security companies hired by Snowflake, Google Cloud’s Mandiant unit, said the hackers had used login credentials initially obtained by what are called infostealers — specialized malware that spirits away sensitive data from corporate or personal devices that have been compromised through other means.

Mandiant said that some of the infected devices had downloaded games or pirated software, a common vector for malware.

The hack marks the latest large-scale security incident for AT&T. In late March, the company disclosed that account information from 73 million current and former customers had been leaked to the dark web.

The incident underscore the massive reach of America’s largest wireless carrier.

The company did not specify a client number for the latest breach, saying only that “nearly all” of its wireless customers, as well as mobile virtual network operators and some AT&T landline customers, had been affected.

Snowflake, in a statement from company Chief Information Officer Brad Jones, said it hasn’t seen any evidence suggesting a breach of its platform. The company has provided updates on its blog about a “targeted threat campaign” against some of its customers, although it wasn’t immediately clear whether that campaign is connected to the AT&T incident.

“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” Jones said, adding that this was confirmed by Mandiant and CrowdStrike.

AT&T said the hack wouldn’t be material to its operations or negatively impact its financial results.