Cybercriminals Stole Text and Call Records From ‘Nearly All’ of AT&T’s Customers

If you’re an AT&T customer, you person a marque caller crushed to hatred your cellular provider. In a crook of events that is someway some wholly predictable and wholly pathetic, the second-largest wireless bearer successful the U.S. has announced that hackers precocious stole telephone and substance records belonging to “nearly all” of its customers.

“In April, AT&T learned that lawsuit information was illegally downloaded from our workspace connected a third-party unreality platform,” the institution said Friday successful a Securities and Exchange Commission disclosure. “We launched an probe and engaged starring cybersecurity experts to recognize the quality and scope of the transgression activity. We took steps to adjacent disconnected the amerciable entree point.”

Between April 14 and April 25, 2024, the hacker exfiltrated files “containing AT&T records of lawsuit telephone and substance interactions that occurred betwixt astir May 1 and October 31, 2022, arsenic good arsenic connected January 2, 2023,” AT&T says. Thankfully, the records that were stolen did not person identifying information points. According to the company, “personal accusation specified arsenic Social Security numbers, dates of birth, oregon different personally identifiable information” were not stolen. Nor were the contents of the texts and calls.

Instead, the accusation that was taken reveals the telephone numbers that a peculiar idiosyncratic called (or was called by) during the fixed period, arsenic good arsenic the frequence with which those interactions occurred. The records place the numbers “with which an AT&T oregon MVNO wireless fig interacted during these periods, including telephone numbers of AT&T wireline customers and customers of different carriers, counts of those interactions, and aggregate telephone duration for a time oregon month,” the disclosure reads.

In different words, the hackers look to person stolen wholly anonymized data. However, specified information request not needfully enactment anonymous for long. This is thing that AT&T readily admits to successful its disclosure: “While the information does not see lawsuit names, determination are often ways, utilizing publically disposable online tools, to find the sanction associated with a circumstantial telephone number,” the institution sheepishly admits.

Once a hacker has de-anonymized your fig and knows who you are, they could hypothetically bash it with the numbers you’ve interacted with, allowing them to recognize the web of radical you situation yourself with and your relationships with them. In different words, what AT&T has admitted without openly saying is that this breach is fucking terrible.

On the acheronian web, this benignant of information is traded and can beryllium compiled with different breach accusation to make reasonably broad dossiers connected peculiar people. According to AT&T, however, the institution says it “does not judge that the information is publically available,” which is simply a decidedly vague mode to operation it.

“AT&T is moving with instrumentality enforcement successful its efforts to apprehension those progressive successful the incident. Based connected accusation disposable to AT&T, it understands that astatine slightest 1 idiosyncratic has been apprehended,” the institution discloses successful its filing.

Disclosure of the breach was delayed somewhat by the Justice Department, AT&T claims. “On May 9, 2024, and again connected June 5, 2024, the U.S. Department of Justice determined that…a hold successful providing nationalist disclosure was warranted,” the company’s disclosure reads.

The timing of the hacking incidental is weird, fixed that, successful April, AT&T besides disclosed a large, abstracted information breach that impacted arsenic galore arsenic 73 cardinal customers. Most of those customers were erstwhile customers, but some—in fact, 7.6 million—were existent ones. That information breach did see personally identifiable information, including Social Security numbers, email addresses, telephone numbers, dates of birth, AT&T relationship numbers, and AT&T passcodes.

According to AT&T’s ain timeline, the institution disclosed a monolithic unspeakable information breach successful April and then, similar a week later, suffered different monolithic unspeakable information breach. If there’s immoderate wide and contiguous grounds that you should power to Verizon (or possibly conscionable flip your compartment telephone retired a third-story window), this has to beryllium it.

Gizmodo reached retired to AT&T for much accusation connected this colossal misstep and volition update this communicative if it responds.