AT&T has admitted that cyberattackers grabbed a load of its data for the second time this year, and if you think the first haul was big you haven't seen anything: This one includes data on "nearly all" AT&T wireless customers - and those served by mobile virtual network operators (MVNOs) running on AT&T's network. 

The telco giant reported today that a "breach" at a "third-party cloud platform" resulted in the theft of call and text metadata, but not of any personal information belonging to customers. Nonetheless, some customers could be at risk because "a subset" of records contained in that storage account included one or more cell tower identification numbers, allowing any potential miscreants to roughly geolocate a customer whose data was stolen in the attack. 

An AT&T spokesperson told The Register that call/text records for just under 110 million customers were exposed in the incident, though that's based on the company's subscriber count from its 2022 annual report, we're told. 

The 110 million figure is derived from 2022's total subscriber count, minus IoT devices and additional lines, we're told. AT&T told us the 110 million number includes affected MVNO customers. 

AT&T said it doesn't believe any of the customer data stolen in the attack has been published online (yet), and that at least one person has been arrested by the FBI in connection to the theft of its records. 

The FBI didn't directly answer our questions regarding the arrest, only saying that it had been working with AT&T on the matter since shortly after the incident was discovered in mid-April, and that the lag in public disclosure was permissible due to delay request allowances for reporting potentially materially substantial data thefts. 

One more flake in the snow bank

For those seeing "third party cloud platform" and immediately assuming this is related to the ongoing recovery from attackers targeting vendors' accounts with cloud provider Snowflake - you'd be correct. AT&T is yet another high-profile customer affected by the digital break-in at Snowflake. 

If you've missed the avalanche, it's believed around 165 companies have had their data exposed in the April intrusion into Snowflake storage instances, which the storage vendor has claimed was a series of credential-stuffing attacks, meaning the criminals would have used legitimate credentials stolen in other online attacks to enter its customers' accounts - rather than by actually compromising Snowflake's systems.

Security researchers at Mandiant believe affected Snowflake customers didn't have multifactor authentication enabled on their accounts. Snowflake has since made MFA mandatory for all instances. 

We asked AT&T if it had forgotten to enable MFA on its Snowflake account, but that question went unanswered. 

Along with AT&T, the mass intrusion into Snowflake instances has affected companies like Ticketmaster and its Australian equivalent Ticketek, US auto supply store Advance Auto Parts, international bank Santander and lots more.

AT&T said in March that records belonging to 73 million current and former customers were published on the dark web, making this latest admission the second massive customer data exposure it has experienced this year, though it is believed the data exposed in March was stolen several years ago.

The telco told us the two incidents are unrelated, and has repeatedly asserted that the data stolen in the previous attack didn't come from its systems, either. ®

https://www.theregister.com//2024/07/12/att_admits_110_million_ppl_data_lost/