Massive AT&T Breach Linked To Snowflake Attacks: Report

An AT&T spokesperson reportedly disclosed the theft of customer records was part of the recent wave of data theft attacks targeting Snowflake customers.

An AT&T spokesperson reportedly disclosed that the massive theft of customer records was part of the recent wave of data theft attacks targeting Snowflake customers.

The disclosure came as the telecom giant revealed Friday that the breach exposed records of phone and text messages for “nearly all” customers.

The breach only affects the records of phone and text messages and does not impact the content of the messages, AT&T said. The records date from a seven-month period of 2022—from May 1, 2022, to Oct. 31, 2022, according to the company. AT&T reports having more than 100 million customers.

AT&T said in a news release Friday that the “customer data was illegally downloaded from our workspace on a third-party cloud platform.”

AT&T did not identify the cloud platform in the news release, but TechCrunch reported Friday that an AT&T spokesperson tied the breach to Snowflake.

CRN has reached out to AT&T and Snowflake for comment.

Widespread attacks targeting Snowflake customers earlier this year has led to a “significant” volume of data stolen and at least 165 customers known to be potentially impacted, according to researchers from Mandiant.

Advance Auto Parts disclosed this week that data belonging to 2.3 million customers may have been compromised. Other high-profile victims have included Ticketmaster, Neiman Marcus Group, Santander Bank and Pure Storage. The wave of data theft attacks are believed to be utilizing stolen passwords.

In the news release Friday, AT&T said that based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T's cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T's wireless network, as well as AT&T's landline customers who interacted with those cellular numbers between May 1, 2022 - October 31, 2022.”

The records “identify the telephone numbers [that] an AT&T or MVNO cellular number interacted with during these periods,” the company said. “For a subset of records, one or more cell site identification number(s) associated with the interactions are also included.”

However, “the data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information,” AT&T said. “It also does not include some typical information you see in your usage details, such as the time stamp of calls or texts.”

The data that was compromised also includes records from Jan. 2, 2023, “for a very small number of customers,” the company said.

AT&T noted that it has “taken steps to close off the illegal access point” that resulted in the breach, and believes that “at least one person has been apprehended” in connection with the incident.