Mastodawn

BrianKrebs Jul 12, 2024

ICYMI, AT&T has acknowledged that cyber thieves stole basically the phone bills for all of their customers. The data includes information you would see on a phone bill, including the source and destination of calls on your AT&T mobile device(s), and the same for SMS messages.

AT&T said it delayed disclosing the breach "on national security and public safety concerns." And we're learning now that the FBI has confirmed this.

AT&T's SEC filing says some cellular site tower information is also among the data accessed by the intruders, which could be used to determine the approximate location of where a call was made or text message sent.

This raises an important question: Was the AT&T customer data stolen from a law enforcement portal set up by AT&T? Sure seems like it.

https://techcrunch.com/2024/07/12/att-phone-records-stolen-data-breach/

AT&T says criminals stole phone records of 'nearly all' customers in new data breach | TechCrunch

The stolen data includes 110 million AT&T customer phone numbers, calling and text records, and some location-related data.

TechCrunch

There are so many fscked up issues here. For starters, AT&T says this data was stolen as a result of the Snowflake debacle, which involved huge buckets of corporate/customer data that were hosted on Snowflake but only secured with a username and password (no 2fa). It boggles the mind that anyone could consider mobile call records and associated location data as somehow undeserving of multi-factor authentication.

BrianKrebs Jul 12, 2024

AT&T said the 110M customer records were not taken from a law enforcement portal, neither in whole or in part.

BrianKrebs Jul 12, 2024

We don't know yet who was behind this hack. But in its SEC filing today, AT&T said at least one suspect had been detained in connection with the theft, which AT&T said it became aware of in April.

This is interesting because in May, a notoriously elusive hacker known for breaking into telecom providers in the U.S. and abroad named John Erin Binns was reportedly arrested in Turkey. He was nabbed on an FBI warrant in connection with an indictment unsealed in January for a massive 2021 data breach at T-Mobile affecting > 56M people. At the time, Binns bragged about the T-Mobile breach to the Wall Street Journal (two weeks after I identified him as the likely hacker).

https://thedesk.net/news/john-binns-t-mobile-hacker-arrested-extradition/

https://krebsonsecurity.com/2021/08/t-mobile-investigating-claims-of-massive-data-breach/

Alan Langford 🇨🇦🧤🧊摏 Jul 12, 2024

@briankrebs How can these people be clever enough to hack a phone company and still too dumb to check to see if a country has an extradition agreement with the US or not? How??

BrianKrebs Jul 12, 2024

@alan Binns comes across as a technical genius, particularly w/ hardware and telecom stuff. But he's clearly not playing with a full deck (or really wants everyone to believe that's the case). Check out that 2021 story I linked to on his history of suing the federal government. He claims the Turkish authorities worked with the CIA to plant mind control devices and substances in him. Here's a snippet of a typical message stream from Binns:

Alan Langford 🇨🇦🧤🧊摏 Jul 12, 2024

@briankrebs And that's a perfectly good explanation of "how". Thanks!

Drew Mochak Jul 12, 2024

@briankrebs Whether or not it was exfiltrated from the portal itself seems like a separate question (AKA a dodge) from whether or not the data would have been retrievable were it not for law enforcement’s retention requirements.

@briankrebs how carefully do we need to parse that denial? Would this denial include backend systems and associated R&D experiments that are designed to support law enforcement access, or is this denial restricted to just a compromise of the portal itself? Given the nature of the data, this still feels a lot like some sort of AT&T backend built to support current or future law enforcement requests, and the breach was of a poorly secured backend rather than a compromise of the law enforcment-facing portal.

Farce Majeure Jul 12, 2024

@DaveMWilburn @briankrebs right, is this some weird semantic distinction? "It was in the database the LE portal connects to, not the LE portal! It also hosts our lunch venue selection data for the Albuquerque field office!"

Farce Majeure Jul 12, 2024

@DaveMWilburn @briankrebs or like... would they not consider whatever mechanism DISHFIRE uses an LE portal? ( https://en.wikipedia.org/wiki/Dishfire )

Dishfire - Wikipedia

@briankrebs Whew, that's a relief. And because they haven't lied multiple times about this and previous recent breaches, we can totally trust them on that.

@briankrebs I knew the Snowflake shenanigans were really bad, but in light of this where should we be reading more? I have no business with Snowflake but would like to learn from their mistakes.

Hostvix Jul 12, 2024

@briankrebs Snowflake discovered the technology,

https://stackdiary.com/snowflake-admins-can-now-enforce-mfa-across-all-user-accounts/

It won't do much for everyone already affected, but you are correct—the level of stupidity is high with this one. As you probably saw, Mandiant told TechCrunch that around ~160 companies might have been affected.

https://techcrunch.com/2024/06/10/mandiant-hackers-snowflake-stole-significant-volume-data-customers/

Snowflake admins can now enforce MFA across all user accounts

In the wake of a series of high-profile data breaches, cloud data giant Snowflake is now enabling administrators to mandate multi-factor authentication

Stack Diary

@briankrebs
It wasn't the data they actually value obviously.

wiredog Jul 12, 2024

You know, the NSA had to secretly pay good money to secretly get this data and now it’s just out there for anyone!

Gregory P. Smith (he/him)

@briankrebs It provides plausible deniability while providing a way for AT&T to keep feeding people's data to the NSA and other high bidders.

linear cannon Jul 12, 2024

@briankrebs i've been waiting for this pin to drop for years now. it was pretty damn obvious that AT&T was compromised when i suddenly started receiving scam calls pretending to be them and having information that only AT&T should have, just days after i first signed up for their service in 2022. among other things, the scammers tried to steal a promotional gift card that they already knew every detail for except the CVV, by attempting to convince me there was a mistake with the card. they knew my address, AT&T account number, and various other tidbits.

⠠⠵ avuko Jul 12, 2024

@briankrebs it boggles the mind that companies outsource their core data (storage) to third parties.

And if parties like SnowFlake bear the brunt of incidents like this, while the responsible company, in this case AT&T, go relatively unscathed, we as societies are proving to Boards everywhere outsourcing responsibility is a good business strategy.

The perverse incentives are a real issue here.

Artemesia Jul 13, 2024

@avuko @briankrebs

It kind of boggles my mind that so many companies outsource their source code management to microsoft-owned github.

"outsourcing responsibility" didn't work out so well for Boeing, who had to give their CEO the old heave-ho and are in the process of reacquiring Spirit.

Eleanor Saitta Jul 13, 2024

@avuko
They do it because, even with failures like this, those companies are often better at it than they are. SaaS isn't the problem here.
@briankrebs

@briankrebs also insane Snowflake didn’t enforce it for everyone

LeighC2 Jul 13, 2024

@briankrebs it’s called “doing an Optus” in Telco circles, I believe.