AT&T Discloses Breach Exposing Call and Text Records of 'Nearly All' Customers

AT&T confirmed in a regulatory filing today that attackers obtained call and text-message metadata for "nearly all" of its wireless customers, exposing roughly 109 million subscribers.

The data was exfiltrated from a third-party cloud workspace — widely reported to be Snowflake — and covers communications metadata from May 1 through October 31, 2022, with a smaller set of records from January 2, 2023.

While the stolen records do not include message content, they do include phone numbers contacted, call counts, and aggregate call duration. Researchers note that this metadata can reveal sensitive relationships and patterns of life.

"Telephony metadata is a powerful surveillance dataset," said Riana Pfefferkorn, a research scholar at Stanford Internet Observatory. "Knowing who called whom, when, and for how long is enough to map social networks with high fidelity."

AT&T said it became aware of the breach in April after being contacted by an extortion actor, and worked with the FBI to delay public disclosure until law-enforcement investigation could progress. Bloomberg reported AT&T paid roughly $370,000 in bitcoin for a video purporting to show deletion of the stolen data.

The Snowflake-linked compromise has now resulted in disclosed data theft from at least 165 organizations, including Ticketmaster, Santander, and Advance Auto Parts, after attackers used credentials harvested by infostealer malware to access accounts that lacked multi-factor authentication.