The recently disclosed AT&T data breach has been attributed to an American hacker residing in Turkey, with the telecom giant reportedly paying a significant ransom to ensure the deletion of stolen information.
On Friday, AT&T revealed that a data breach had impacted nearly all of its wireless customers. Hackers exfiltrated records of customer call and text interactions from May 1, 2022, to October 31, 2022, as well as on January 2, 2023. The data originated from AT&T's workspace on a third-party cloud platform.
The compromised records include phone numbers of contacts, call and text counts, and call durations, though the content of calls or texts, timestamps, and other sensitive personal information were not affected. AT&T noted, "While the data doesn’t include customer names, there are often ways to find a name associated with a phone number using publicly available online tools."
The telecom giant also stated that it does not believe the stolen data is publicly available and mentioned that "at least one person has been apprehended." Approximately 110 million customers are being notified about the incident.
Additional details emerged over the weekend. Wired reported that AT&T paid approximately $370,000 in bitcoin to a hacker in May to prevent the data from being leaked. The hacker, a member of the notorious ShinyHunters group, provided proof of the transaction, confirmed by others through cryptocurrency transfer records. Initially demanding a $1 million ransom, the hacker settled for less and provided AT&T with a video showing the deletion of the stolen data.
The AT&T customer data appears to have come from the Snowflake data storage platform, which has seen multiple instances compromised through stolen customer credentials. The ShinyHunters group is linked to these attacks, targeting companies such as Ticketmaster, Santander Bank, Advance Auto Parts, and Neiman Marcus.
According to Wired, John Binns, an American hacker residing in Turkey for several years, is also involved in the AT&T breach. Binns previously made headlines in 2021 for hacking T-Mobile and was indicted the following year. He was reportedly arrested in Turkey in May 2024 over the T-Mobile breach, which may explain AT&T's reference to an apprehended individual in their statement.
404 Media also confirmed Binns' involvement in the AT&T hack through multiple sources. A researcher known as Reddington told Wired that Binns contacted him in April, claiming to have obtained millions of AT&T customer call logs from Snowflake. Reddington facilitated negotiations between AT&T and the hackers for a buyback of the data.
While AT&T was initially supposed to send the $370,000 ransom to Binns, it was redirected to a ShinyHunters member due to Binns' arrest. According to Reddington, Binns and the ShinyHunters hacker stored the full AT&T database on a cloud server, where it was deleted after the ransom was paid. However, samples of the data may have been sent to multiple individuals before deletion.
