News AI
July 12th, 2024

AT&T says criminals stole phone records of 'nearly all' customers in data breach

AT&T confirms a data breach affecting 110 million customers, involving phone records and location data from 2022-2023. Collaboration with authorities led to one arrest. Snowflake's breach impacted other companies, stressing the need for enhanced security measures.

Read original articleLink Icon
OutrageNegligenceAccountability
AT&T says criminals stole phone records of 'nearly all' customers in data breach

AT&T confirmed a data breach where cybercriminals stole phone records of "nearly all" customers, affecting around 110 million people. The stolen data includes phone numbers, call and text records, and some location-related data from a six-month period in 2022. Some more recent records from 2023 were also compromised. The breach was linked to cloud data giant Snowflake, with stolen data not containing call or text content but metadata like call durations and interactions. AT&T is working with law enforcement to address the breach and has already apprehended one individual. The FBI, DOJ, and AT&T collaborated to manage the situation, citing potential risks to national security. This incident marks the second security breach for AT&T this year. Snowflake attributed the breach to a cybercriminal group and emphasized the importance of multi-factor authentication. Other companies like Ticketmaster and LendingTree were also affected by data thefts from Snowflake. The stolen data has not been publicly disclosed, and efforts are ongoing to secure affected customers' information.

Related

Snowflake breach snowballs as more victims, perps, come forward

Snowflake breach snowballs as more victims, perps, come forward

The Snowflake data breach expands to include Ticketek, Ticketmaster, and Advance Auto Parts. ShinyHunters claim involvement, Snowflake enforces security measures. CDK faces ransomware attack, Juniper and Apple vulnerabilities identified. Jetflicks operators convicted.

Ticketmaster has begun warning customers about data breach

Ticketmaster has begun warning customers about data breach

Ticketmaster notifies customers of a data breach involving personal information theft. 1.3 terabytes of data were compromised and sold on the dark web. Snowflake denies involvement. Ticketmaster enhances security measures.

Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers

Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers

Twilio confirms data breach leaking 33 million phone numbers linked to Authy app. No evidence of system access or sensitive data compromise. Users advised to update security settings as precaution against phishing.

Twilio breach leaks over 30M Authy-linked phone numbers

Twilio breach leaks over 30M Authy-linked phone numbers

A data breach in Authy exposed 33 million phone numbers due to an unsecured API. No passwords were leaked, but users are urged to secure accounts with 2FA, watch for scams, and lock SIM cards. Twilio has improved security measures. Update Authy app for safety.

Nearly all AT&T cell customers' call and text records exposed

Nearly all AT&T cell customers' call and text records exposed

AT&T suffered a data breach exposing call and text records of millions from May to October 2022. No content was revealed, but phone numbers were compromised. AT&T is assisting affected customers.

AI: What people are saying
The AT&T data breach affecting 110 million customers has sparked significant discussion.
  • Many commenters emphasize the need for stricter data protection laws and harsher penalties for companies that fail to secure customer data.
  • There is widespread criticism of AT&T and Snowflake for their poor security practices, with some suggesting that executives should face criminal charges.
  • Several comments highlight the potential misuse of the stolen data, including targeted scams and social engineering attacks.
  • Some users express frustration over the lack of timely disclosure and transparency from AT&T regarding the breach.
  • There are calls for better data management practices, such as deleting old data and using multi-factor authentication to prevent future breaches.
Link Icon 133 comments
By @whyenot - 8 months
AT&T has 110 million customers. Let's be optimistic and assume that each customer only has to spend one minute of extra time managing their account due to the break-in. That is more than 209 years of lost time.

Laws related to data breaches need to have much sharper teeth. Companies are going to do the bare minimum when it comes to securing data as long as breaches have almost no real consequences. Maybe pierce the corporate veil and criminally prosecute those whose negligence made this possible. Maybe have fines that are so massive that company leadership and stockholders face real consequences.

By @Animats - 8 months
"still-unfolding data breach involving more than 160 customers of the cloud data provider Snowflake.'

So what is Snowflake normally doing with all that AT&T data? Redistributing it to "marketing partners"? Apparently. Snowflake's mission statement, from their web site:

"Our mission is to break down data silos, overcome complexity and enable secure data collaboration between publishers, advertisers and the essential technologies that support them."

So this was not, apparently, a break-in to the operational side of AT&T. Someone unauthorized got hold of data they were already selling to marketers. Is that correct?

By @r3trohack3r - 8 months
Reading the articles about this breach and the nature of the data in this Snowflake lake, I personally wouldn’t consider this breach a “leak” from the customer perspective - to me the leak is upstream of this breach.

Given the nature of the data in the database and the platform it was stored in, it seems extremely likely this data was not meant to be used internally by AT&T but was instead meant to be used externally by either a 3rd party partner (like advertisers and consumer analytics partners) or a government agency.

In other words, if it were my data in this datastore, I’d consider my data as already having been “leaked” when it went into the store - the issue here appears to be that this data was “leaked” to the wrong people from the perspective of AT&T and the FBI.

By @smcin - 8 months
AT&T stock has already bounced back from much of the initial -2.6% drop this morning, so the market thinks AT&T is immune. Meanwhile Snowflake is -3.9% down (they have many other customers than AT&T).

https://www.marketwatch.com/investing/stock/T

https://www.marketwatch.com/investing/stock/SNOW

By @chmod775 - 8 months
Over in Europe this blanket saving of phone records beyond what it is necessary to operate would have been illegal in many countries, and is in general incompatible with the European Convention for the Protection of Human Rights and Fundamental Freedoms outside of active threats to national security and temporary measures overseen by a court.[1]

There's really no reason why any service providers should save this stuff in the first place, and it isn't hard to fix with legislation. Just make it illegal to even keep.

[1] https://curia.europa.eu/juris/document/document.jsf?text=&do...

By @rybosworld - 8 months
Consumers are so numb to data breaches that these events now bring very little outrage. I think without that anger from the consumer, there's little incentive for companies to do more to stop data breaches from happening.
By @guiambros - 8 months
I cancelled my AT&T account over 10 years ago, yet they still stored my (old) address, full name, and SSN in the previous hack in March.

The fact we don't have decent legislation to materially punish incompetent organizations is beyond absurd.

By @pylua - 8 months
And earlier this year my ssn was on the dark web due to their leak (or vendor). One year of monitoring? No, I’m going to need it for life.

Security is not a concern. There is no real incentive to change the status quo. Make them pay for monitoring indefinitely .

By @blessedwhiskers - 8 months
The TechCrunch article indicates cell site identifiers were included, which means approximate location as well.

https://techcrunch.com/2024/07/12/att-phone-records-stolen-d...

By @JohnMakin - 8 months
So where/what is my compensation? (I know there is no recourse).

When no one is on the hook for secure practices, like enabling MFA on your effin data stores that contain massive amounts of customer PII, this is the result. Not even an apology, just report it and move on. woops! those gosh darned cyber criminals.

By @akshayB - 8 months
The real problem is that data needs to be deleted over time. There is not much of a use case for customers for go back last year and see who called them and obviously there are use cases like criminal investigations or spying. But customer has no power or ability to dictate how long their records are store and how they are used. Companies should provide tools and features to their customers empowering them with their data.
By @jen20 - 8 months
This is the kind of breach that really should be company-ending, but will sadly instead likely result in a slap on the wrist.

It is high time for the US to have a privacy law with real teeth, and to enforce it with vigour.

By @throwaway81523 - 8 months
This happened in 2022 and they're just disclosing it now? Or did they just find out about it, which is maybe even worse?
By @John23832 - 8 months
How has Snowflake felt ANY recourse for being the source of all of these hacks?
By @zsdfgyn - 8 months
Key point of the article:

"Snowflake allows its corporate customers, like tech companies and telcos, to analyze huge amounts of customer data in the cloud. It’s not clear for what reason AT&T was storing customer data in Snowflake, and the spokesperson would not say."

Finally journalists are asking the question why customer data must be stored with third party cloud providers. AT&T is a long way from Bell Labs, shame on them.

By @xbmcuser - 8 months
This data will be a gold mine for scammers. When they know relationships and real names of people they can target people as well create specific attacks for different people. Now with what LLM's are capable of mass social engineering is possible.
By @gz5 - 8 months
The root cause (1) is the data store should not have been available on the underlay network. Anything connected to an underlay network is a ticking time bomb.

Any servers or admins which need to talk to the data store should instead use a private overlay (2) network.

Any users (likely just remote admins) should do the same.

(1) Same root cause as 99% of breaches and yet it is too often swept under the rug while we focus on the infinite # of proximate causes

(2) Software, not private circuits.

By @graybeardhacker - 8 months
Freeze your credit people! It's super easy. It's not a perfect fix but it's so trivial to do and it will help.

https://www.usa.gov/credit-freeze

You can unfreeze through an app whenever you want/need to.

By @smcin - 8 months
This is huge; also AT&T knew on Apr 19 but only disclosed now; ongoing fallout from the Snowflake compromise:

- Records downloaded from Snowflake cloud platform

- "AT&T will notify 110 million AT&T customers"

- Compromised data includes customer phone numbers ("for 77m customers"), metadata (but not actual content or timestamp of calls and messages), and location-related data. Not SSNs or DOBs. Mostly during a six-month period 5/1-10/31/2022, but more recent records from 1/2/2023 for a smaller but unspecified number of customers. TechCrunch [1] has more details including Mandiant's response, the name and suspects location of the cybercriminal group

[1]: https://techcrunch.com/2024/07/12/att-phone-records-stolen-d...

I wonder if Congress manages to summon TikTok-like levels of anger on regulating this one.

By @JoshTriplett - 8 months
"AT&T reveals it has records of cellular customers calls and texts"

These records should have been deleted at the latest at the point where they're no longer relevant for billing. (Which also means that for customers with unlimited calling/texting, there shouldn't be any records in the first place.)

By @swarnie - 8 months
Why would AT&T even need to keep this data?

All i can think of is billing for a fraction of plans from the early 2000s who still pay per min/per text. Or maybe for capacity metrics but even then you only need the overall data point not the actual records once collaborated.

What's the US law for keeping data as long as its relevant and needed?

By @spacephysics - 8 months
Text meta data is an important distinction

Still not good, but headline feels clickbait if I think my text messages leaked

By @MOARDONGZPLZ - 8 months
Is this leak why the spam next messages have gone from “Hi how is your day ?” or “Hi [not my name] please do thing X. Of you’re not [not my name] I’m so sorry perhaps we can be friends.” to “Hi is this [my full name]?” or “Hello [my first name] how is your day ?”
By @southernplaces7 - 7 months
Events like these will only become more prevalent as more personal, corporate and other information is digitized and stored by organizations too busy with other things to 100% button down their data (possibly an impossible thing anyhow), or simply too inept (a very common thing). There is a possible good side to it though, that it makes everyone, not just a few lone souls, much more conscious about privacy and rampant personal data collection, perhaps enough for a sea change in habits in the corporate and consumer worlds.
By @mikewarot - 7 months
Why don't organizations hide their servers behind data diodes? Store everything in an air gapped network with strictly defined interfaces.

I've been wondering this since the Office of Personnel breach[1] back in 2015.

[1] https://en.m.wikipedia.org/wiki/Office_of_Personnel_Manageme...

By @jmount - 8 months
And corporations like AT&T are themselves immune to having their own identities stolen (my notes: https://win-vector.com/2024/07/12/yet-another-way-corporatio... ). Corporate EINs (the US corporation equivalent to US social security numbers) and public. Knowing one doesn't let you commit identity theft and credit card against a corporation (unlike the case for people).
By @kjellsbells - 8 months
I find it interesting that in your typical BigCo breach, they are at pains to point out that credit card details were not stolen. I infer from this that something about credit cards, and how they are secured, has real teeth and BigCo's lawyers are trying to stop them biting. Is this PCI-DSS? Maybe someone can comment.

As far as this breach goes, I think it just confirms my gut feel that Snowflake are heading to the wood chipper.

By @advael - 8 months
At the scale of this kind of incompetent failure, no human being should be on board with the narrative that we should be blaming "criminals" for this

If we don't hold companies accountable for keeping far more access and retention than should be legal, and securing their systems poorly, this situation will never get better

By @OutOfHere - 8 months
Unfortunate as it is, nobody genuinely cares about:

1. Preventing data breaches

2. Properly anonymizing aggregated personally identifiable data

3. Having and using a secure ID and verification system

By @declan_roberts - 8 months
I would like to sue AT&T in small claims for this and for leaking my Social Security number. But it's difficult to prove damages in these situations.

Does anybody have any advice? Proving damages means showing actual monetary harm.

By @robxorb - 8 months
Why is it "nearly all"? Which customers didn't have their data stolen and why were they magically left aside of this? It's obvious the data theives had complete dominance in the system so what query did they run to get only "nearly all"?
By @mjevans - 8 months
These are all security nightmares aren't they? It smells as if all the resources went into delivering billing, then barely enough for technically working service, and then is there even anything leftover for security (instead of this being part of the foundation of a service)?
By @advael - 8 months
It's disgusting that we still write headlines as "hackers steal" rather than "enormous company fumbles security for data they should never have retained"
By @xyzzy4747 - 8 months
It's interesting when you have these old, large, sprawling bureaucratic organizations and the employees hardly give a sh!t anymore and allow for these large vulnerabilities. It's not a money issue, it's a caring issue I think.
By @jonplackett - 8 months
Unbelievable that they do not enforce 2FA for a client that huge. Absolute madnesss!
By @John23832 - 8 months
And, honestly, how is this info (which I WOULD want to know) meaningfully actionable to customers. We get our information stolen from a myriad of sources everyday. These companies do comparatively nothing to make things right and the burden falls on customers to pick up the pieces if you're in a tranch that is sold and used.
By @willfiveash - 7 months
In the email I got from AT&T regarding this data breach was: "Protecting customer data is a top priority. We have confirmed the affected system has been secured. We hold ourselves to high privacy standards and are always looking for ways to improve our security practices."

Well, now I feel better. 8^)

By @kragen - 8 months
wow, a spy agency acquired the entire social network graph of the usa in one intrusion. that's bad news for civil defense; it means they have a good guess at who is the favorite relative of each legislator, governor, police chief, or general. and where they can habitually be found at each hour of the week, since this leak included location data!

how can we keep such accumulations of sensitive data from arising in the first place? only countries that figure it out are likely to survive the turbulent coming decades

By @SoftTalker - 8 months
"While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number"

In other words, your phone number and name is likely in a public record somewhere. It's not that private.

The info leak should not have happened but in the grand scheme of things it's not that big a deal. "The content of the calls and messages was not compromised." The worst it does is reveal who has been sending messages to or calling each other.

By @stevetron - 8 months
AT&T bought into a significant amount of DirecTV - so much so that everything that had the DirecTV logo on it was changed to the AT&T logo, such as the invoicing. So the AT&T customer base has included, for several years, the Directv customer base. The article doesn't attempt to clarify who the 'nearly all' customers are, and some people will jump to the conclusion that it is the cell phone customers. But it could include the DirecTV customer base whose data is also at risk.
By @jdlyga - 8 months
It's one more reason to use an end to end encrypted messaging app like iMessage or Telegram. Even WhatsApp is end to end encrypted. Don't use SMS/RCS.
By @chasenjohnson - 8 months
You would effectively be able to cross reference this meta data with 2 factor authentication services. It’s probably time to start removing this option entirely.
By @mdale - 8 months
Interesting that they use the word criminals instead of hackers.. makes it sound like it was a physical heist rather than poor security practices on their part :)
By @cddotdotslash - 8 months
Another article[1] cites AT&T's Snowflake deployment as the source of the breach:

> It’s not clear for what reason AT&T was storing customer data in Snowflake, and the spokesperson would not say.

[1] https://techcrunch.com/2024/07/12/att-phone-records-stolen-d...

By @the8472 - 8 months
The headline could equally say "AT&T kept data for criminals to steal".

If wiretapping laws didn't exist then most of this data would not be justified to exist. Flat-rate billing doesn't need to keep track of this information. Even usage-based plans could keep cumulative records rather than individual ones, or at least delete them at the end of a billing period.

Where there is a trough, pigs gather.

By @gumby - 8 months
The data can be used for traffic analysis (number->number call data); "no PII" except it's pretty easy to match a number to a likely user.

I'm an AT&T customer, and in my case I don't have a risk, but I can imagine this info could be very handy for divorce, custody, and corporate IP lawsuits. So worse than it might look to ordinary folks.

By @abduhl - 8 months
>> AT&T said it learned of the data breach on April 19, and that it was unrelated to its earlier security incident in March.

Why was this not disclosed on AT&T’s earnings call on April 24? At least someone will get compensated for the breach, although it’ll be the lawyers for the class action lawsuit that’s about to hit instead of the customers that got their information stolen.

By @buro9 - 8 months
Including all location metadata associated to that?
By @CuriouslyC - 8 months
Big breaches like this are gonna be wild with advanced GenAI. Combing through the shit for the diamonds provided some degree of limitation on the impact of big breaches in the past but all those calls are going to be accurately transcribed and mined by AI and the attackers are going to have a buffet of products and targets laid at their feet.
By @II2II - 8 months
My first question is: why was the data being stored by a third party in the first place?

Shouldn't data like this be stored completely independently of the Internet? Yes, I realize that does not guarantee it is secure since there has to be some point of access. On the other hand, it would reduce opportunities for people to breech the databases.

By @yiamvino - 8 months
I might be lone wolf here but I kind feel pity for ATT I dont know why they are solely getting all the loathe here . actual incident occurred on public cloud provider who had not provided secure tools practice to their customer. so in this customer getting blamed for buying service cloud provider lack of best practices.
By @ilteris - 8 months
I am an ATT user and on a pixel which generally good at filtering spam messages. I have noticed I was getting so much spam messages recently ("wanna make money working remotely for x hours a day only") I was surprised and thought my number somehow made it to one of those spam networks. This confirms my suspicions.
By @purpleblue - 8 months
WHY IS THIS DATA EVEN AVAILABLE TO BE DOWNLOADED??? Why do we not have protection in place so that hackers can't even download this data even if they wanted to?? What purpose does 2 year old data serve AT&T except to monitor us and to create social networks of people and associations?
By @autoexec - 8 months
> The company said the hack wouldn’t be material to its operations or negatively impact its financial results.

And this is why consumers will continue to see their information compromised by companies who collect and retain more data than they need and then fail to invest the time and resources to protect it.

By @demondemidi - 8 months
Would be great if some of the smart people here could help explain why this is such a big deal to my less tech savvy friends. I know that I don’t know how the data broker to dark web hacker pipeline works, I just know security is important. But my family is like “big deal”.
By @bobo_legos - 8 months
Snowflake might want to take this page down in light of today's news.

https://www.snowflake.com/en/customers/all-customers/case-st...

By @TriangleEdge - 8 months
When are we going to see the technical report of what happened? Since this data has a specific time frame, it makes sense to me that a backup was stolen. But, we'll see.

My guess is that the tech leaders a AT&T are going to have sore wrists for a few minutes because of this.

By @BenFranklin100 - 8 months
This is a political problem. Until we pass laws that companies can be find liable for significant damages in the event of data breaches, we will see little progress on data security. This is an area where Congress needs to act. Current law does not adequately protect the public due to the difficulties in establishing standing, tying specific breaches to specific personal damages, other reasons.

Such a law would seriously impact current practices of the majority of IT firms, including small app developers, which is why we see little push from silicon valley for such changes.

By @kator - 7 months
I read an article in wapo that said you can use this URL to see what data was exposed: https://www.att.com/event/lander
By @banish-m4 - 8 months
AT&T - too big to jail, worst UX, worst service, and worst customer service ever. Until CEOs end up in prison, nothing will change and there will be no consequences. It will never happen because money has more votes than citizens.
By @skybrian - 8 months
> Snowflake blamed the data thefts on its customers for not using multi-factor authentication to secure their Snowflake accounts, a security feature that the cloud data giant did not enforce or require its customers to use.

And is that going to change?

By @ChrisArchitect - 8 months
Official support page: https://www.att.com/support/article/my-account/000102979/
By @Tagbert - 8 months
So, what is the actual threat from this? That someone now has my phone number (already public) and knows that I have called or texted with some other numbers? What is the risk in that? It’s not clear.
By @theGnuMe - 8 months
They even got the data of former customers, like 10 year ago customers. That should be illegal. Your personal data should be deleted after you are no longer in business together.
By @softwaredoug - 8 months
> AT&T blamed an “illegal download” on a third-party cloud platform

WTF does this even mean?

The cloud employees downloaded it? If its so sensitive, why wouldn't this be heavily e2e encrypted?

By @cynicalsecurity - 8 months
In EU, this would have been a huge scandal. This would involve huge fines and the company would really try their best not to be so sloppy with data protection. But they are not in EU.
By @MisterBastahrd - 8 months
Be nice to have a new federal law: you get breached, you pay $5K plus lifetime credit monitoring to each person involved. Non-dischargeable by bankruptcy. No arbitration, no lawsuit. You pay.
By @berniedurfee - 8 months
So is this data fair game to be used by lawyers and cops in the US?

I guess maybe a cop would still need a warrant to use the data, but what about civil court cases?

By @hindsightbias - 8 months
Does any organization, anywhere, alarm when a port exceeds a couple dozen TB of data? If they can lock down every phone use to a GB/month…
By @ungreased0675 - 8 months
So, AT&T wasn’t using MFA?

A lot of information can be derived from analysis of call records. If this information becomes public, it could be disastrous.

By @llm_trw - 8 months
I about 6 years ago Iwas seriously wondering how snowflake could move so fast while keeping customer data secure... welllllll.
By @aorloff - 8 months
I would say ATT ran afoul of a bunch of CA laws by putting this data on snowflake to begin with
By @smcin - 8 months
Some new news in the article and comment:

- [security expert] "This [logs without timestamps] isn’t one of their main databases; it is metadata on who is contacting who. Its only real use is to know who is contacting whom and how many times."

- [commenter] "I have a theory that this call log was being used for a national security investigation. Otherwise why would this rise to the level of public safety/national security exemption?" [with two DOJ-approved 1-month delays for disclosure]

So, someone set up a separate Snowflake instance with mostly May-Oct 2022 AT&T data (90% former customers) apparently for that purpose. And left it up. Will anyone in Congress (e.g. Sen Ron Wyden) ask who did and why? (Another commenter on HN pointed out that Roe v Wade was overturned 6/2022, presumably that was not the intent of the original national-security investigation, but there's a potential for privacy abuse by the hackers' customers beyond everyday spam)

- In early 2023, Snowflake set up a unit especially for Telco data. But when you read the blurb (below), this product is not aimed at the telco's use-case; coincidentally this was also around the time Snowflake was touting integration with GenAI.

"Unlocking the Value of Telecom Data: Why It’s Time to Act" https://www.snowflake.com/blog/telecom-data-partnerships/

"Telecoms are the connecting tissue of the modern economy. They run everything... growing importance... hyperconnectivity.

What makes telecom service providers unique is that they have access to consumer location data. For most other industries, a consumer can go into their phone’s privacy settings and turn off the location access in the smartphone app. But in the world of telecom, as long as the phone is connected to a network, the telecom provider can use triangulation to find the approximate location of a consumer. This is why there is an emerging trend of companies [which ones?] building partnerships with telecoms to power use cases across multiple industries from competitor intelligence, alternate credit scoring, hyper-targeted marketing and more.

... Yet, despite the importance of telecommunications for society and in connecting industries, network operators are not yet fully embracing the value of the data they have at their fingertips"

But the value of this data (90% former customers) was clearly not to the telco itself... so who is the unnamed partnership and who is the end-customer? And was one of Snowflake's AI partners involved?

By @bediger4000 - 8 months
That's an enormous amount of data. How do you not notice a huge, network-hogging data flow?
By @dapearce - 8 months
No dates or timestamps included meaning they were using the data to build a social graph.
By @greenavocado - 8 months
Feds crucified weev in 2010 when he notified AT&T of exposed user data
By @exabrial - 8 months
The only "criminals" is AT&T for leaving the doors wide open.
By @nxobject - 8 months
I look forward to receiving my 30 cents in settlement money in five years.
By @dbg31415 - 8 months
Or they just sold it / gave it to NSA and needed a cover story…
By @wly_cdgr - 8 months
Why did it take them over a year and a half to disclose this?
By @zomg - 8 months
when will governments hold these companies, but more importantly their executives, criminally liable for their lack of protecting customers' information?
By @telgareith - 7 months
No mention of ITAR issues? In the comments?
By @benreesman - 8 months
The old-timers remember a term: “dark fiber”.

There’s going to be a lot of “dark compute” once we throw these lazy assholes out.

Speaking for myself, I’m thinking of what the economics look like when HBM is abundant.

By @mensetmanusman - 8 months
Nice way to rule out who is a spy or not. Nice.
By @throwaway120724 - 8 months
There's no way to make the software perfectly safe from hackers and from social engineering. So, yes, companies should be more careful with the data and, yes, the data shouldn't be kept forever. I agree companies should be doing more to protect the data.

I see lots of outrage at the companies and why isn't the government doing more to punish them and how do I get compensated ...

But, I feel like everyone is blaming the victim. Is it the home owners fault when someone breaks in and steals stuff?

Where's the outrage at the hackers breaking into these accounts? Where's the "why aren't the governments tracking these people down?" Why is no one demanding that the hackers be brought to justice?

By @cwillu - 8 months
“Brad Jones, chief information security officer at Snowflake, told CNN in a separate statement that the company has not found evidence this activity was “caused by a vulnerability, misconfiguration or breach of Snowflake’s platform.” Jones said this has been verified by investigations by third-party cybersecurity experts at Mandiant and CrowdStroke.

AT&T said it launched an investigation, hired cybersecurity experts and took steps to close the “illegal access point.””

That's pretty rich: “it wasn't misconfigured, it was just illegally open, and now we're closing it”.

By @1attice - 8 months
this breach is of course appalling. But nearly as appalling is the experience of _explaining why this matters_ to non-technical friends who stare at you with blank, distracted eyes, but only for a second; for their phone (yes, the very phone that just exposed them to uncountable future ills) has chimed.

I have nearly given up; like smoking, it will be decades before the harms are understood. We have to wait for your neighbour's brother to have died in a targetted political killing, because someone didn't like his Substack and borrowed the number and likeness of a friend; for his daughter's credit score to have been crushed by an anti-abortioneer who borrowed her face and likeness and number knew her first-grade teacher; for his son to die a death of despair, after making the wrong friends, and getting doxxed along with the rest of them.

This should be a five-foot headline moment. But no; CNN will lead with Biden-mumbles or Trump-grumbles.

How is it that the things that are killing us --- inequality, climate change, privacy collapse -- all have this same shape? Hamlets, all of us.

By @hnpolicestate - 8 months
If AT&T has the power to sell said data to whichever 3rd party it wants, why should this bother me?
By @shironandonon_ - 8 months
just put all information (names, addresses, ssn, DoB, etc) on a publicly visible blockchain already.

Then there is no data left to breach.

Instead develop systems to audit the usage of that blockchain and send to jail/military anyone who attempts to use that information in an unauthorized manner.

By @crmd - 8 months
Airliner crashes would be as common as data breaches if regulators set the same expectations.
By @riffic - 8 months
did they just enumerate an open web endpoint for it or something?
By @iftheshoefitss - 8 months
Same hackers as Twilio :) no amount of security would have prevented this
By @fnord77 - 8 months
so just metadata, not the actual texts or PII
By @smcin - 8 months
Joining the dots on the facts so far, people don't seem to have grasped the apparent huge significance:

- guessing it was some GenAI startup looking into consumer tracking, alternate credit scoring, surveillance or other national-security use-case.

- Very unusually, the DOJ ordered two ~month-long "delay periods" in disclosure: ("The Justice Department determined on May 9 and again on June 5 that a delay in providing public disclosure was warranted"). Yet this didn't happen for Ticketmaster or MOVEit breaches revealed around the same time. "Cybersecurity delay period requests" is a new power quietly authorized by the DOJ+SEC+FBI, 18 Dec 2023 [0]. Note that [1] emphasizes this as "Corporate Alert - guidance for delay requests [on SEC 8-K]". Might Congress already have known/suspected, when it authorized the cybersecurity delay request powers, of the Snowflake/AT&T breach? Either way, whoever is involved seems to have very powerful friends. Also, the big FISA renewal vote was Apr 19 2024 [2].

- Seems the cloud instance was set up the same time GPT-4 was released (March 2023), also when Snowflake set up a Telco business unit [3] ("Location data... Alternate credit scoring, hyper-targeted marketing and more... an emerging trend of companies building partnerships with telecoms to power use cases across multiple industries"). This product is not aimed at the telcos' use-cases, but at new revenue streams. (Who might the unnamed Snowflake AI partner(s) be?)

- They set up the Snowflake instance with AT&T/MVNO customers with timestamps removed, but with location data, yet the phone numbers not obscured or removed. Doesn't sound like "internal analytics" or "competitor analysis". What sorts of end-users want to pay for the entire social-graph of 110m, regardless whether those customers never make a phone call again? [EDIT: I confused the details of this AT&T breach with the other (2019) one disclosed on 3/2024: 77m AT&T/MVNO customers, 90% of them former customers]

[0]: "FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements: FBI Policy Notice Summary" https://www.fbi.gov/investigate/cyber/fbi-guidance-to-victim...

[1]: "US Corporate Alert - DOJ, FBI, and SEC provide guidance for delay requests relating to disclosure of cybersecurity incidents under form 8-K" https://www.klgates.com/DOJ-FBI-and-SEC-Provide-Guidance-for...

[2]: US House approves FISA renewal – warrantless surveillance and all https://news.ycombinator.com/item?id=40041784

[3]: Snowflake cloud Telco unit, 4/2023: "Unlocking the Value of Telecom Data: Why It’s Time to Act" https://www.snowflake.com/blog/telecom-data-partnerships/

By @syngrog66 - 7 months
hold AT&T responsible. their officers. prison time. or this kind of carelessness with millions of people's lives will keep on happening if officers get million dollar paychecks they must also risk criminal penalties to balance out
By @pyuser583 - 8 months
Holy shit. If true …. Wow. This can be used for all sorts of evil.
By @josefritzishere - 8 months
damn
By @hughesjj - 8 months
And this is yet another reason why I use signal
By @not2b - 8 months
"It remains unclear why so many major corporations persist in the belief that it is somehow acceptable to store so much sensitive customer data with so few security protections."

It's because there are almost no consequences to them if they lose the customer data, beyond a day or two of bad press. If they faced significant fines, fines that get worse the more sensitive the data is, then they'd have an incentive to do better.

By @smcin - 8 months
Ongoing fallout from the Snowflake compromise; AT&T knew on Apr 19 but only disclosed now (Why does this not fall under SOX violation with the obligation to report timely to affected parties? It has affected AT&T's stock price -3% in early trading, so shouldn't it have also required SEC disclosure?)

- Records downloaded from Snowflake cloud platform

- AT&T will notify 110 million AT&T customers

- Compromised data includes customer phone numbers, metadata (but not actual content or timestamp of calls and messages), and location-related data. Not SSNs or DOBs. Mostly during a six-month period 5/1-10/31/2022, but more recent records from 1/2/2023 for a smaller but unspecified number of customers. TechCrunch report has more details including Mandiant's response, the name and suspects location of the cybercriminal group

I wonder if Congress manages to summon TikTok-like levels of anger on regulating this one.

By @nequo - 8 months
@dang Could I ask why this topic gets systematically penalized in the HN ranking? There have been 15 submissions so far, I assume partly because previous submissions are not shown on the main page so HN users keep re-submitting it. This topic is both newsworthy and high interest.

(I was going to link to the 14 other submissions but the list is too long and it'd just come across as obnoxious.)

By @floatrock - 8 months
> In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages — such as who contacted who by phone or text — during a six-month period between May 1, 2022 and October 31, 2022.

AT&T customer? Prepare for phone calls / text messages from your most frequent contacts saying "I got stranded / I'm Officer Blahblahman helping your friend get home... please send gift card / venmo"

It's only metadata...

By @lumb63 - 8 months
This is another consequence of the surveillance state. The same data that can be used to surveil us by the government can be stolen by who-knows-who. We’d all (mostly) be far better off, IMO, if companies didn’t retain such records.
By @RyanAdamas - 8 months
Criminal charges need to be filed and class action lawsuit for fraudulent services for all the customers duped into renewing monthly services ignorant of the fact the service is not secure as plainly stated it must be in federal law.
By @squeegee_scream - 8 months
It's ok everyone! Protecting our data is one of AT&T's top priorities.

> Protecting your data is one of our top priorities. We have confirmed the affected access point has been secured.

> We hold ourselves to a high standard and commit to delivering the experience that you deserve. We constantly evaluate and enhance our security to address changing cybersecurity threats and work to create a secure environment for you. We invest in our network’s security using a broad array of resources including people, capital, and innovative technology advancements.

I hope there's an enormous fine for this kind of negligence

By @zombiwoof - 8 months
User: admin Password: password
By @DarkmSparks - 8 months
Isnt this just a legally mandated api for all phone operators in the US?

Edward Snowden published several slide decks about it a few years ago, before he defected to Russia.