Let's breakdown how the AT&T breach will impact us at home and at work and what we can do to protect ourselves.

The AT&T breach includes numbers called and texted, the number of call and text interactions, the call length, and some people had cell site identification numbers leaked (which leaks the approximate location of person at the time that the call or text was placed).

How does this breach increase risk for us at home and at work?

1. Social Engineering Risk
The believability of social engineering attacks will increase for those affected because attackers know which phone numbers to spoof to you.
Attackers can pretend to be a boss, friend, cousin, nephew etc and say they need money, password, access, or data with a higher degree of confidence that their impersonation will be believable.

2. Threaten, Extort, & Harm Risk
This stolen data can reveal where someone lives, works, spends their free time, who they communicate with in secret including affairs, any crime based communication, or typical private/sensitive conversations that require secrecy. This is a big deal for anyone affected.

For celebrities and politicians, this information getting leaked greatly affects their privacy, physical safety, sensitive work, potentially even national security because the criminals have a record of who is in contact with whom, when and sometimes where.
The criminals could extort those people who are trying to keep that information (rightly) private, they could threaten their physical safety at the locations revealed in the metadata, they could pretend to be the people they called and texted often and ask for money, sensitive details, and increase the likelihood of successfully tricking that victim.

For those experiencing abuse or harassment, the impact of this breach is terrifying for their physical security and beyond as they need to keep their communications private to those that can help them get out of their abusive situation.

3. Increased Believable Phishing Attacks via Call, Email, Text, and Social Media Risk

If a criminal knows your phone number has regularly called a phone number belonging to a specific Bank, Doctor's Office, Government Office, etc then they know exactly who to pretend to be when contacting you and attempting to trick you.

For example, the criminal could pretend to be the bank that you interact with, spoof the bank phone number with an app from the app store, and say there is a problem with your account and suggest money is transferred to "protect the account" (a common scam), or could "help change a password" (another common scam) to gain access to the account and drain the funds.

In short, if a criminal knows WHO you interact with -- then they know WHO TO PRETEND TO BE to be when they try to trick you in a phishing phone call, email, text message, or social media direct message.

When criminals impersonate people or organizations that are trusted by their victim, the criminal is more successful in their attack.

4. Link Sensitive Political, Business, and Interpersonal Interactions Risk

When a criminal has a list of which phone numbers interact with whom, they are able to link sensitive interactions, communications, deals, crime, etc together.

This will impact those in national security, defense, policy, government officials, celebrities, politicians, everyone whose privacy is affected here.

Because phone numbers are linked to people's names and jobs via data brokerage sites, data breaches, LinkedIn, etc it's easy for criminals to start to associate phone numbers in the breach to people those victims have communicated with.

This of course creates risk for anyone in sensitive communication with other government officials, can leak sensitive business deal communications and timing, leak someone's potential involvement in a sensitive situation, etc.

*So, what can I do to keep myself, my family, and my organization safe and secure in the wake of this massive breach?*

- Be Politely Paranoid: recognize that your contacts and phone/text message interactions could be publicly available and increase the risk of social engineering, phishing, etc. Use 2 methods of communication to confirm people are who they say they are before sending money, sharing sensitive data, etc.

- Stop Reusing Passwords: if criminals know who we trust then they are able to pretend to be those people or companies to us, increasing phishing believability (when the criminal knows which bank we use, their phish is more relevant). Using a long, random, and unique password for each account helps ensure that you protect your accounts, even if one gets hacked/tricked out of you due to this breach.
Additionally, criminals can look up which companies we contact and trust from this breach then look up our phone number in other data breaches to gather passwords breached previously then use those stolen & reused passwords against current accounts to steal data/money without ever needing to phish folks in the first place.

- Turn on MFA (Multi-Factor Authentication): communications and companies we trust are less private now because of this breach so we need to protect our accounts with a second factor when logging in even more. This ensures the criminals can't just find or phish passwords then gain access to take over the account immediately -- I recommend app based MFA at the very least for many high threat model folks. If your family has lower comfortability for added technology, SMS 2FA is much better than nothing. If your threat model is extra high (in the public eye, etc): move toward a FIDO solution like YubiKey, etc.

- Use Encrypted Communications: encrypted communication help us avoid this specific type of data leakage in the future. There are many encrypted communication options including Signal, etc. Choose the one that is right for you.

Thank you @lorenzofb @techcrunch for chatting with me about how this breach impacts risk for everyday folks, celebrities, politicians, and more: https://techcrunch.com/2024/07/12/what-the-att-call-records-data-breach-means-for-you/