BrianKrebsJul 12, 2024

ICYMI, AT&T has acknowledged that cyber thieves stole basically the phone bills for all of their customers. The data includes information you would see on a phone bill, including the source and destination of calls on your AT&T mobile device(s), and the same for SMS messages.

AT&T said it delayed disclosing the breach "on national security and public safety concerns." And we're learning now that the FBI has confirmed this.

AT&T's SEC filing says some cellular site tower information is also among the data accessed by the intruders, which could be used to determine the approximate location of where a call was made or text message sent.

This raises an important question: Was the AT&T customer data stolen from a law enforcement portal set up by AT&T? Sure seems like it.

https://techcrunch.com/2024/07/12/att-phone-records-stolen-data-breach/

AT&T says criminals stole phone records of 'nearly all' customers in new data breach | TechCrunch

The stolen data includes 110 million AT&T customer phone numbers, calling and text records, and some location-related data.

TechCrunch
Show threadBrianKrebsJul 12, 2024
There are so many fscked up issues here. For starters, AT&T says this data was stolen as a result of the Snowflake debacle, which involved huge buckets of corporate/customer data that were hosted on Snowflake but only secured with a username and password (no 2fa). It boggles the mind that anyone could consider mobile call records and associated location data as somehow undeserving of multi-factor authentication.
Show threadBrianKrebsJul 12, 2024
AT&T said the 110M customer records were not taken from a law enforcement portal, neither in whole or in part.
Show threadDave Wilburn Jul 12, 2024
@briankrebs how carefully do we need to parse that denial? Would this denial include backend systems and associated R&D experiments that are designed to support law enforcement access, or is this denial restricted to just a compromise of the portal itself? Given the nature of the data, this still feels a lot like some sort of AT&T backend built to support current or future law enforcement requests, and the breach was of a poorly secured backend rather than a compromise of the law enforcment-facing portal.
Show threadFarce MajeureJul 12, 2024
@DaveMWilburn @briankrebs right, is this some weird semantic distinction? "It was in the database the LE portal connects to, not the LE portal! It also hosts our lunch venue selection data for the Albuquerque field office!"
Show threadFarce Majeure
@DaveMWilburn @briankrebs or like... would they not consider whatever mechanism DISHFIRE uses an LE portal? ( https://en.wikipedia.org/wiki/Dishfire )
Dishfire - Wikipedia

Jul 12, 2024 at 6:44pmWeb