Mastodawn

Chris Luehmann Jul 12, 2024

ICYMI, AT&T has acknowledged that cyber thieves stole basically the phone bills for all of their customers. The data includes information you would see on a phone bill, including the source and destination of calls on your AT&T mobile device(s), and the same for SMS messages.

AT&T said it delayed disclosing the breach "on national security and public safety concerns." And we're learning now that the FBI has confirmed this.

AT&T's SEC filing says some cellular site tower information is also among the data accessed by the intruders, which could be used to determine the approximate location of where a call was made or text message sent.

This raises an important question: Was the AT&T customer data stolen from a law enforcement portal set up by AT&T? Sure seems like it.

https://techcrunch.com/2024/07/12/att-phone-records-stolen-data-breach/

AT&T says criminals stole phone records of 'nearly all' customers in new data breach | TechCrunch

The stolen data includes 110 million AT&T customer phone numbers, calling and text records, and some location-related data.

TechCrunch

BrianKrebs Jul 12, 2024

FBI declined to answer questions about whether this breach resulted from the compromise of data from some kind of law enforcement portal. Their statement:

"Shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident. In assessing the nature of the breach, all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety. AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work. The FBI prioritizes assistance to victims of cyber-attacks, encourages organizations to establish a relationship with their local FBI field office in advance of a cyber incident, and to contact the FBI early in the event of breach."

Graham Sutherland / Polynomial Jul 12, 2024

@briankrebs is it just me or is the national security mention tantamount to a tacit admission that it was likely related to law enforcement activity or capabilities?

Graham Sutherland / Polynomial Jul 12, 2024

@briankrebs and I don't mean that in the sense that it's necessarily as a result of misuse or any particular wrongdoing on the LEAs' part, but it's common knowledge that major service providers have systems (typically web portals) for handling things like law enforcement requests, and this is precisely the language I would expect them to use if one of those got popped.

I Thought I Saw A 2

@gsuberland @briankrebs I read the "national security" part as meaning that government members use the AT&T network for communications, but I may be naive in assuming that.

@briankrebs AT&T is not the victim here. AT&T Customers are the victim. AT&T is partially responsible for it's negligence in not having bleeping MFA on it's Snowflake database, and putting this data in a damn data warehouse to begin with.

Lee Fife - old account Jul 12, 2024

@briankrebs So, it was compromised via a law enforcement portal ...

synlogic Jul 12, 2024

@briankrebs ie. its possible it was FBI or DoJ who was the orig end client

VessOnSecurity Jul 12, 2024

@briankrebs That's a lot of words used to say basically nothing related to the question asked.

BrianKrebs Jul 12, 2024

There are so many fscked up issues here. For starters, AT&T says this data was stolen as a result of the Snowflake debacle, which involved huge buckets of corporate/customer data that were hosted on Snowflake but only secured with a username and password (no 2fa). It boggles the mind that anyone could consider mobile call records and associated location data as somehow undeserving of multi-factor authentication.

BrianKrebs Jul 12, 2024

AT&T said the 110M customer records were not taken from a law enforcement portal, neither in whole or in part.

BrianKrebs Jul 12, 2024

We don't know yet who was behind this hack. But in its SEC filing today, AT&T said at least one suspect had been detained in connection with the theft, which AT&T said it became aware of in April.

This is interesting because in May, a notoriously elusive hacker known for breaking into telecom providers in the U.S. and abroad named John Erin Binns was reportedly arrested in Turkey. He was nabbed on an FBI warrant in connection with an indictment unsealed in January for a massive 2021 data breach at T-Mobile affecting > 56M people. At the time, Binns bragged about the T-Mobile breach to the Wall Street Journal (two weeks after I identified him as the likely hacker).

https://thedesk.net/news/john-binns-t-mobile-hacker-arrested-extradition/

https://krebsonsecurity.com/2021/08/t-mobile-investigating-claims-of-massive-data-breach/

Alan Langford 🇨🇦🧤🧊摏 Jul 12, 2024

@briankrebs How can these people be clever enough to hack a phone company and still too dumb to check to see if a country has an extradition agreement with the US or not? How??

BrianKrebs Jul 12, 2024

@alan Binns comes across as a technical genius, particularly w/ hardware and telecom stuff. But he's clearly not playing with a full deck (or really wants everyone to believe that's the case). Check out that 2021 story I linked to on his history of suing the federal government. He claims the Turkish authorities worked with the CIA to plant mind control devices and substances in him. Here's a snippet of a typical message stream from Binns:

Alan Langford 🇨🇦🧤🧊摏 Jul 12, 2024

@briankrebs And that's a perfectly good explanation of "how". Thanks!

Drew Mochak Jul 12, 2024

@briankrebs Whether or not it was exfiltrated from the portal itself seems like a separate question (AKA a dodge) from whether or not the data would have been retrievable were it not for law enforcement’s retention requirements.

@briankrebs how carefully do we need to parse that denial? Would this denial include backend systems and associated R&D experiments that are designed to support law enforcement access, or is this denial restricted to just a compromise of the portal itself? Given the nature of the data, this still feels a lot like some sort of AT&T backend built to support current or future law enforcement requests, and the breach was of a poorly secured backend rather than a compromise of the law enforcment-facing portal.

Farce Majeure Jul 12, 2024

@DaveMWilburn @briankrebs right, is this some weird semantic distinction? "It was in the database the LE portal connects to, not the LE portal! It also hosts our lunch venue selection data for the Albuquerque field office!"

Farce Majeure Jul 12, 2024

@DaveMWilburn @briankrebs or like... would they not consider whatever mechanism DISHFIRE uses an LE portal? ( https://en.wikipedia.org/wiki/Dishfire )

Dishfire - Wikipedia

@briankrebs Whew, that's a relief. And because they haven't lied multiple times about this and previous recent breaches, we can totally trust them on that.

@briankrebs I knew the Snowflake shenanigans were really bad, but in light of this where should we be reading more? I have no business with Snowflake but would like to learn from their mistakes.

Hostvix Jul 12, 2024

@briankrebs Snowflake discovered the technology,

https://stackdiary.com/snowflake-admins-can-now-enforce-mfa-across-all-user-accounts/

It won't do much for everyone already affected, but you are correct—the level of stupidity is high with this one. As you probably saw, Mandiant told TechCrunch that around ~160 companies might have been affected.

https://techcrunch.com/2024/06/10/mandiant-hackers-snowflake-stole-significant-volume-data-customers/

Snowflake admins can now enforce MFA across all user accounts

In the wake of a series of high-profile data breaches, cloud data giant Snowflake is now enabling administrators to mandate multi-factor authentication

Stack Diary

@briankrebs
It wasn't the data they actually value obviously.

wiredog Jul 12, 2024

You know, the NSA had to secretly pay good money to secretly get this data and now it’s just out there for anyone!

Gregory P. Smith (he/him)

@briankrebs It provides plausible deniability while providing a way for AT&T to keep feeding people's data to the NSA and other high bidders.

linear cannon Jul 12, 2024

@briankrebs i've been waiting for this pin to drop for years now. it was pretty damn obvious that AT&T was compromised when i suddenly started receiving scam calls pretending to be them and having information that only AT&T should have, just days after i first signed up for their service in 2022. among other things, the scammers tried to steal a promotional gift card that they already knew every detail for except the CVV, by attempting to convince me there was a mistake with the card. they knew my address, AT&T account number, and various other tidbits.

⠠⠵ avuko Jul 12, 2024

@briankrebs it boggles the mind that companies outsource their core data (storage) to third parties.

And if parties like SnowFlake bear the brunt of incidents like this, while the responsible company, in this case AT&T, go relatively unscathed, we as societies are proving to Boards everywhere outsourcing responsibility is a good business strategy.

The perverse incentives are a real issue here.

Artemesia Jul 13, 2024

@avuko @briankrebs

It kind of boggles my mind that so many companies outsource their source code management to microsoft-owned github.

"outsourcing responsibility" didn't work out so well for Boeing, who had to give their CEO the old heave-ho and are in the process of reacquiring Spirit.

Eleanor Saitta Jul 13, 2024

@avuko
They do it because, even with failures like this, those companies are often better at it than they are. SaaS isn't the problem here.
@briankrebs

@briankrebs also insane Snowflake didn’t enforce it for everyone

LeighC2 Jul 13, 2024

@briankrebs it’s called “doing an Optus” in Telco circles, I believe.

Old Man in the Shoe Jul 12, 2024

They said oddly that they closed the "illegal" place of entry. Odd phrasing.

David Seidl Jul 12, 2024

@briankrebs I'm expecting far better spoofed number calls now that there's a handy dandy directory of who we expect to be hearing from frequently.

Sigh.

Keith Ivey Jul 12, 2024

@davidseidl @briankrebs What happened to SHAKEN/STIR and Google Verified Calls and the other ways of preventing spoofed caller ID? How is it that we're still being subjected to fake calls—more of them every year?

David Seidl Jul 12, 2024

@kcivey @briankrebs Everything I've seen says that while it's implemented by many, there's still a huge swathe of unattested calls, and that providers are likely letting calls with low or no attestation through.

I'd love to see some actual carrier data and analysis or a current FCC report on impact, but haven't run across any.

But spam calls and texts remain rampant for everyone I know.

Keith Ivey Jul 12, 2024

@davidseidl @briankrebs I can understand not wanting to block all unverified calls, but they could at least show the recipient whether the source of a call is verified.

0bondo7 Jul 12, 2024

@briankrebs I thought t mobile was bad with security

David Collantes Jul 12, 2024

@0bondo7 @briankrebs well, T-Mobile leaked my name, Social Security number, and date of birth 😬. My credit is frozen because of it. I think I would take AT&T data breach instead any day.

Greg Kemp Jul 12, 2024

@david @0bondo7 @briankrebs AT&T had it's own doxxing event last year. The phone data leak is the cherry on top.

aproitz Jul 12, 2024

This would further explain the #SecuritybyObscurity-#Tactics, they're pulling of. Most #Experts know, that these kind of Tactics make everything worse. #Nevertheless they kept it under #lock and #key. Says a lot about the #Faith in #Telephone #Corporations.

#securitybreach #mobilesecurity #mobilehacking

GentleMan Gef Jul 12, 2024

aardvark Jul 12, 2024

@briankrebs clever workaround to Carpenter v. United States

Nicole Parsons Jul 12, 2024

AT&T is being disingenuous.

Weak security & a "data breach" excuses & disguises a lot.

https://www.rollingstone.com/politics/politics-features/corporate-america-republican-minority-rule-1234959739/

https://www.wired.com/story/att-network-outage-verizon-tmobile/

https://abcnews.go.com/Business/att-data-leak-dark-web/story?id=108686296

Notice that corporate GOP donors are all having these mysterious failures in critical infrastructure? Especially Texas.
https://www.cnn.com/2024/07/11/weather/texas-heat-beryl-power-outage-thursday/index.html
https://www.nytimes.com/2024/07/10/us/hurricane-beryl-texas-grid.html
https://en.m.wikipedia.org/wiki/2021_Texas_power_crisis
https://en.m.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack

They underfund the maintenance needed for resilience.
It's beyond negligent, with climate change coming.

Blame These Companies for the GOP’s Minority Rule

Big brands finance the right-wing political group that wrecked our democracy through gerrymandering.

Rolling Stone

Dr Power Nap, DDS ✅️Jul 12, 2024

@Npars01 @briankrebs

Wait wait wait...
Are you telling ME that people who worship a man who BLEW UP the chemical factory he ran are burning our infrastructure to the ground?

Well, I'm going to need to see some proof...
https://open.spotify.com/episode/0JDqELjP3ylelBkXl7sgSY?si=3ja6-TcmSlGlGKs-zkCY-w

Part One: Jack Welch Is Why You Got Laid Off

Listen to this episode from Behind the Bastards on Spotify. Robert is joined by Michael Swaim and Abe Epperson to discuss Hell's CEO, Jack Welch. (2 Part Series) Cracked alums Michael Swaim and Abe Epperson are making a new movie and you can help! Papa Bear is based on the hilarious, poignant true story of when Swaim's Dad came out as a gay furry. Click here (https://seedandspark.com/fund/papa-bear) to learn more and score cool rewards like posters, special thanks credits, or even a trip to the premiere!See omnystudio.com/listener for privacy information.

Spotify

Threadbane Jul 12, 2024

@Npars01 @briankrebs

I worked in software development on classified systems for 35 years. The one thing I would never have permitted had I been a CEO of a company or large corporation was the use of Microsoft products on any of the company's computers.

synlogic Jul 12, 2024

@briankrebs so basically everyone's home, work friends and family locations could be deduced from it..yikes

your auntifa liza 🇵🇷 🦛 🦦Jul 12, 2024

🛎 🛎 🛎

artisanrox Jul 12, 2024

AT&T after SCOTUS ruling that regulations are pretty much decoration now:

"What are you going to do? Sue us?? 😈"

🤦🤦🤦🤦🤦🤦

Led By Gilded Fools Jul 12, 2024

@briankrebs Seems like there needs to be a law requiring insurance on these data warehouses, wherein an insurer would not insure applicants whose data protection practices allowed intrusion & theft, much the same way that a waterfront warehouse of valuables would not be insurable if thieves repeatedly broke in and stole from them.

Meercat ✅  Jul 12, 2024

@briankrebs That’s a serious breach

echo Jul 12, 2024

@briankrebs I would say that I'm happy to not be an AT&T customer, but unfortunately with little-to-no transparency in the cell provider space, this could just as well be (and has been) Verizon, T-Mobile, Vodafone, etc.
also this does smell like a LE portal breach, absolutely agree

SpaceLifeForm Jul 12, 2024

I agree. They have had web proxies available for many years for LE to hide their tracks during an investigation. To not tip off a subject of the investigation that may review their logs.

I would suspect one of two things.

Someone in LE actuslly scraped all of data. Not likely.

Or, the proxy software was not maintained and had an exploit that could be leveraged into further lateral movement in the network. Most likely.

Greg Kemp Jul 12, 2024

@briankrebs Is there any reason to switch providers? I'm not happy AT&T did this, but I question whether my other US providers are any better.

Ned Hamson Jul 13, 2024

@briankrebs If AT&T can't figure out or be bothered to protect customer data... we are in deep problem