In a nutshell: Hackers stole more than 100 million AT&T customers' phone records from 2022. The information from a six-month period contained metadata, including phone numbers, call and text counts, durations, and, in some cases, tower ID numbers. However, the contents of text messages and calls were not accessed.

On Friday, AT&T disclosed a massive data breach that exposed the phone records of nearly all of its 110 million customers. TechCrunch notes that although the company discovered the intrusion on April 19, the records accessed were from May 1, 2022, and October 31, 2022. Additional data from January 2, 2023, was also compromised. The data cache contained phone numbers and records of calls and text messages from cellular and landline users.

The wireless provider said the breach did not include the content of calls or texts but did reveal metadata, including who contacted whom, the total count of calls and texts, and call durations. Some records also contained cell site identification numbers, which bad actors could potentially use to approximate the location of calls and texts.

The breach also affected customers of other carriers using AT&T's network, broadening its impact significantly. The company said it would notify its customers affected by the breach but didn't mention actions regarding the other affected providers.

Interestingly, this intrusion is connected to the recent Snowflake breach. Snowflake is a cloud data provider whose customers, including AT&T, Ticketmaster, and QuoteWizard, suffered from unauthorized access to data stored on the company's cloud servers. Researchers determined the root cause was a lack of enforced multi-factor authentication (MFA) on Snowflake accounts, leaving them vulnerable to attack.

Cybersecurity firm Mandiant, assisting Snowflake, reported that hackers stole a significant volume of data from approximately 165 customers. They attributed the breach to a cybercriminal group known as UNC5537, with members from North America and Turkey.

In response to the breach, AT&T has been working closely with law enforcement to track down the cybercriminals involved. The company confirmed that at least one person was apprehended, noting that it was not an AT&T employee. As mentioned, the attack occurred in April, but the FBI and the Department of Justice asked AT&T to delay public notification twice due to potential national security and public safety risks. The FCC tweeted that it was also involved and conducting an investigation.

This breach marks AT&T's second major security incident this year. Earlier, the company had to reset account passcodes after encrypted customer data appeared on a cybercrime forum. The ease with which bad actors could decrypt these passcodes prompted the carrier to take swift protective action, but only after denying the breach for two weeks.

Those concerned can find more information regarding the incident on AT&T's dedicated website. The company says it continues to work diligently to prevent further unauthorized actions.

Image credit: Mike Mozart