110 Million AT&T Customers’ Logs Stolen via Snowflake Account Compromise

• AT&T filed an 8-K report with the U.S. Securities and Exchange Commission, saying the company suffered a security breach.
• The telco’s account with third-party cloud storage service Snowflake was illegally accessed in April.
• The actors managed to exfiltrate the call and message log details of almost all their customers. 

American telecom giant AT&T Inc. announced in a regulatory filing that it was hit by a cyberattack between April 14 and 25, which resulted in the exfiltration of the call and text logs of nearly all AT&T wireless customers, including the ones using mobile virtual network operators (MVNOs). 

The telco became aware of the attack impacting almost 110 million clients on April 19. The stolen files contain records of AT&T customers’ interactions from approximately May 1 and October 31, 2022, as well as on January 2, 2023. 

These client logs include the phone numbers of AT&T wireline and other carriers' clients, interaction counts, and call durations.

However, the telco says the content of calls or texts and personal information such as customer names, Social Security numbers, dates of birth, or other personally identifiable information (PII) were not exposed. AT&T declared in the filing they do not have proof the stolen data is publicly available.

AT&T also sustains that information available to the company reveals at least one person related to this data theft has been apprehended, but nothing more is known on this matter. 

The company’s investigation reportedly concluded that threat actors accessed an AT&T environment on a third-party cloud platform, which happens to be Snowflake. 

There are approximately 165 companies using Snowflake environments linked with the massive data breach, which has been attributed to the UNC5537 threat actor. However, a member of the infamous ShinyHunters hacking group revealed how they reportedly stole customer data from Snowflake accounts via a breached EPAM employee account, and now it seems Sp1d3r and ShinyHunters have created an alliance.

Snowflake-related data thefts include Ticketmaster, Ticketek, Neiman Marcus, Santander Bank, LendingTree subsidiary QuoteWizard, Advance Auto Parts, and Pure Storage. 

The hackers leveraged leaked credentials collected by several info-stealer malware variants that belonged to Snowflake customer accounts not using multi-factor authentication (MFA), as per incident response firm Mandiant.