AT&T confirms a data breach affecting millions, with phone records stolen from Snowflake. Learn about the breach details and cybersecurity response

Continue reading
AT&T, one of the largest telecommunications companies in the U.S., confirmed a significant data breach impacting approximately 110 million customers. This breach, disclosed on a Friday, involves the theft of phone records. The incident is linked to Snowflake, a cloud data platform used by AT&T for storing and analyzing customer data. This write-up delves into the technical nuances, implications, and response strategies related to this breach.
The stolen data includes call and text records from May 1, 2022, to October 31, 2022. Additionally, some records from January 2, 2023, were compromised for a smaller, unspecified number of customers.
The data stolen comprises metadata such as:
It's important to note that the content of calls or texts was not compromised.
The breach affects AT&T’s cellular and landline customers, as well as customers of other carriers using AT&T’s network. Notifications are being sent to around 110 million customers.
AT&T identified the breach on April 19, 2023. The data was stolen from Snowflake, where AT&T stored customer records.
The breach was traced back to Snowflake, a cloud data platform used by AT&T. Snowflake allows corporate customers to analyze large amounts of data. The exact reason why AT&T was storing customer data in Snowflake remains unclear.
Cybersecurity firm Mandiant assisted in the incident response. Mandiant attributed the breach to the cybercriminal group UNC5537, known for being financially motivated and having members in North America and Turkey.
The FBI and DOJ collaborated with AT&T on managing the incident, delaying public disclosure twice due to national security concerns. At least one individual involved in the breach has been apprehended, although this person was not an AT&T employee.
Earlier in the year, AT&T experienced another security incident. This incident required the reset of account passcodes due to a separate data compromise. Encrypted passcodes for accessing AT&T customer accounts were published on a cybercrime forum, prompting AT&T to take precautionary measures.
AT&T joins other companies like Ticketmaster and QuoteWizard in experiencing data thefts from Snowflake. These breaches are often attributed to poor security practices, such as not using multi-factor authentication (MFA). Snowflake did not enforce or require MFA for its customers, leading to significant data thefts.
The breach highlights significant vulnerabilities in cloud storage security practices. Snowflake’s failure to enforce multi-factor authentication (MFA) allowed cybercriminals to access and steal vast amounts of data. This incident underscores the necessity for robust security protocols in cloud environments.
Although the breach did not expose the content of calls or texts, the stolen metadata can still have serious implications. Metadata includes:
This information can be used for targeted attacks, identity theft, and other malicious activities.
import snowflake.connector
# Secure connection to Snowflake
conn = snowflake.connector.connect(
user='<username>',
password='<password>',
account='<account>'
)
# Enforcing MFA for secure access
conn.cursor().execute("ALTER USER <username> SET MFA_REQUIRED = TRUE")
# Example of secure data storage query
query = """
INSERT INTO customer_data (phone_number, call_duration, cell_site_id)
VALUES (%s, %s, %s)
"""
data = ('+1234567890', 300, 'site123')
conn.cursor().execute(query, data)This snippet illustrates a secure connection to Snowflake and enforcing MFA for added security.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been