AT&T data breach: What happened and how to protect your organization
Today, your phone is an essential part of your life. People use their phones to shop, play games, run businesses and even store confidential information. And that means it's a target for hackers.
While your phone number may seem like mere digits disconnected from your identity, it can be a powerful tool for a hacker. Many verification systems use phone numbers as a step to check or double-check someone's identity. And, of course, you may use your number to log into your phone service provider account, such as one with T-Mobile, AT&T or another telecom. Hackers may be halfway through a successful breach if they get your number and name.
From a business perspective, an attacker could use a phone number and ID theft to impersonate members of your organization and execute theft or fraud. This makes phone number safety an ideal learning opportunity for employees as part of a general security awareness training program.
In this episode of Hacker Headlines, Keatron Evans, VP of Portfolio Product and AI Strategy for Infosec, explains the consequences of a phone provider like AT&T being breached.
Learn Vulnerability Management
What is the AT&T data breach?
In July 2024, telephone and wireless provider, AT&T announced that they had suffered a data breach. The breach happened in April but was only revealed months later.
Hackers infiltrated AT&T servers. The culprit is believed to be a hacker group called Shiny Hunters. This group recently spearheaded another massive data breach, stealing millions of customer records from Ticketmaster. Both Ticketmaster and AT&T outsourced some of their data management and storage to a company called Snowflake.
In the Ticketmaster case, hackers broke into Snowflake by hacking into one of their vendors. This is known as a supply chain attack. We aren't sure how the AT&T hack happened yet, but what we do know is that in the past few months, more than 165 organizations associated with Snowflake have suffered thefts. Therefore, some may also refer to this attack as the Snowflake data breach.
Once inside Snowflake — assuming this is how the hackers got in — Shiny Hunters hackers accessed AT&T customer data stored on the Snowflake cloud. What did they steal? ID numbers? Addresses? No. They stole customer call and text records.
These records show which numbers contacted each other, when and for how long. They don't appear to contain names or other sensitive personal information, but a hacker can link a phone number to a person with a simple Google search.
The impact of the AT&T attack
All-in-all, the records of more than a hundred million users were exposed. These call records are considered so sensitive and so valuable that Bloomberg reported that it was a matter of national security.
In addition, the hackers held the stolen data for ransom. AT&T reportedly paid $370,000 to have the hackers delete the stolen data.
However, that's not the end of the story. The data is likely still out there, which means you should take steps to protect yourself.
Learn Vulnerability Management
How to protect yourself from the AT&T breach
If you are an AT&T customer or have spoken to one in the last two years, your data may be included in this breach. So, what can you do?
Change your AT&T password
There's no proof that customer passwords were breached, but having your call records exposed may make you a target for attackers. This is because your AT&T phone number can be used as a login on the AT&T website. As a result, half of the private information designed to prevent hackers from getting into your account is already out there.
The good news is you can secure the other half by choosing a new, long password that you haven't used anywhere else. For example, you could use a random arrangement of numbers, letters and characters. Some choose nonsensical sentences, such as "Purplepondssquareroottwistandshout," because they're hard to guess and very unlikely to have appeared in a password data leak.
Delete old or unused accounts and services
If you have unused accounts, then you have old information and passwords sitting out there, ready for hackers to snatch. If you're not using an account or a service, delete it.
For instance, maybe you signed up for a free trial for a software service or set up an online account with a retailer. Perhaps the free trial expired long ago, and you never shop on the retailer's website. It would be best to simply get rid of those accounts instead of leaving your data out there.
Use multi-factor authentication (MFA)
Multi-factor authentication (MFA) uses different factors to strengthen your account access security. Even if a hacker steals your password, they still can't get in because they don't have all the factors. For instance, you may include your email as another step in the MFA process. An attacker may know your username and password, but to get a secret code sent to your email, they'd have access to:
- Both your mobile device and the password used to access it, or…
- Your laptop or desktop, as well as the password used to open it, or…
- Your email address and the password used to access it
Being a victim of a hack is never easy, but you can take these steps to protect yourself and others: Use strong passwords and multifactor authentication and, most importantly, stay alert. Many companies that prioritize security take another necessary step: educating their employees about the attacks to look out for and what to do if they suspect one. Even relatively brief education sessions can open employees' eyes regarding what to look out for and what to do if they suspect nefarious activity.
Learn Vulnerability Management
One easy way to spark your employee education program is to have your teams watch our Hacker Headlines videos. These outline the most recent attack techniques and tools so you and everyone in your organization know how to avoid becoming the next victim.
You can also connect with someone at Infosec if you need security awareness training resources on the latest cyber threats.
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- AT&T data breach: What happened and how to protect your organization
- Bypassing pointer authentication: Understanding the 2024 iPhone attack
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
Get certified and advance your career!
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities