Data Breaches Arent a Joke - AT&T and the 73 million user data leak

[TVwazhere]

Summary

-This is Not an April Fools Joke-

 

AT&T, one of the Big Three Cellular Network providers as well as internet to millions of Americans, announced that a dark web database was released containing 7.3M active AT&T users and 65M inactive users. Most concerning is the leak of Social Security numbers and dates of birth. 

 

Quotes

Quote

AT&T revealed over the weekend that the data of 73 million customers, including social security numbers, had been compromised in a data breach—a hack some media outlets state was reported back in 2021.

In a statement posted to its website, AT&T said that a recent data set released on the dark web approximately two weeks ago contained data from its customers. At this time, it’s not clear whether the hackers were able to breach AT&T systems or those belonging to one of its vendors, the company added. The data obtained by the hackers contained social security numbers, email addresses, phone numbers, dates of birth, AT&T account numbers, and AT&T passcodes.

Spoiler

Of the 73 million people affected, 65.4 million were former AT&T customers. In the case of the 7.6 million current customers, AT&T has automatically reset their passcodes. Passcodes are four-digit codes used by AT&T customers to add an extra layer of security to their accounts, in addition to their passwords, and are presented during some operations such as calling customer service. Customers whose passcodes have been reset have been contacted by AT&T.

 

My thoughts

First AT&T had the major service outage, and now a massive breach of personal data. While the data is speculated to be from 2021, it is unknown how far back the data extends, so customers who switched form AT&T back in 2018 (Hi, hello, its me) could still be affected. Admittedly I was part of a family plan so my SSN should be safe(r).

 

As a reminder, using both a 2FA app like Google Authenticator as well as a Password manager are some of the best ways you can protect yourself in the digital world we now live in, which feels almost inevitable that our data will be at some point compromised. 

 

Sources

https://abcnews.go.com/US/wireStory/att-data-breach-leaked-millions-customers-information-online-108697485

https://www.cnn.com/2024/03/30/tech/att-data-leak/index.html

https://gizmodo.com/att-data-breach-hack-73-million-current-old-customers-1851378110

[Lurick]

I got the email the other day, they said only my passcode was impacted but we'll see if that's really the case. The email said they would follow up more in the coming days with more information.

As a side note, for anyone else who had their passcode reset as a part of this, you cannot use the online tools to reset your passcode. It will say your information is incorrect so I had to go through customer service to get it changed. The rep I spoke to said it was a system issue they're working on fixing. Fun times

[NinJake]

12 minutes ago, Lurick said:

As a side note, for anyone else who had their passcode reset as a part of this, you cannot use the online tools to reset your passcode. It will say your information is incorrect so I had to go through customer service to get it changed. The rep I spoke to said it was a system issue they're working on fixing.

Hopefully they had a somewhat secure way of verifying you are who you say you are when updating these passwords. This is similar but not exact to how big name players had their accounts compromised and Text 2FA codes relayed to bad guys in the past. (SIM Swap attack) I get this is a little different but I'm a bit curious how they handle these situations when the automated methods are unavailable.

[Lurick]

2 minutes ago, NinJake said:

Hopefully they had a somewhat secure way of verifying you are who you say you are when updating these passwords. This is similar but not exact to how big name players had their accounts compromised and Text 2FA codes relayed to bad guys in the past. (SIM Swap attack) I get this is a little different but I'm a bit curious how they handle these situations when the automated methods are unavailable.

Oh that's what was extra fun. The passcode is to identify you as the authorized user for the account after other verification methods. However since I was logged in the rep just asked what I wanted to update it to and set it from there for my internet account. I think it's different if you have a wireless line with AT&T but it's still stupid that it was that easy to update it. They are supposed to, from what I've read have you verify other information since the automated system requires your last 4 digits of the SSN and your billing zip but yah, I would say they fail on keeping that part secure as well

 

You can't even have a recovery phone number if you do not have a wireless number with AT&T, you can only do email which is pretty dumb in itself.

[Spotty]

Quote

Per the linked story, social security numbers and dates of birth exist on most rows of the data in encrypted format, but two supplemental files expose these in plain text. Taken at face value, it looks like whoever snagged this data also obtained the private encryption key and simply decrypted the vast bulk (but not all of) the protected values.

https://www.troyhunt.com/inside-the-massive-alleged-att-data-breach/

Oof. At least they encrypted it, I guess?

 

Also looks like - for the birth dates at least - the encrypted data wasn't salted. The dataset has birth dates in an encrypted state. It includes a separate file (rainbow table) for birthdays which just includes every possible birth date combination and its encrypted value. It's possible to compare the encrypted value from the dataset to the table of birth dates to get the true value.

 

I'm actually surprised that birth dates were encrypted at all.

 

30 minutes ago, TVwazhere said:

While the data is speculated to be from 2021, it is unknown how far back the data extends, so customers who switched form AT&T back in 2018 (Hi, hello, its me) could still be affected.

2021 was when an attempt was made to sell data stolen from AT&T. Apparently this data has been confirmed by AT&T to be from 2019 and include data on current and former customers from 2019 and prior.

 

If it was 2019 then the attacker would have generated every possible birth date combination since 1900 (1900 - 2019 = 119 years).

I wonder if that is also the same for the SSNs, since that also includes a separate table for decrypting the values. If SSNs weren't salted and they had the encryption key they could have just generated a table of every possible social security number and their encrypted value.

[leadeater]

39 minutes ago, TVwazhere said:

-This is Not an April Fools Joke-

 

True, it is not an April Fools Joke 

 

40 minutes ago, TVwazhere said:

AT&T passcodes

Excuse me what? They were stored reversible why?

[TetraSky]

Why does AT&T even have social security numbers of people... It's weird how Americans are giving their unique identification numbers that can't be changed easily to whichever company that asks for it, when it should really only be given to your employer, your bank and the government. Or at least, that's how it is in Canada.

 

I wonder what AT&T will do to make this right... When we had a leak with Desjardins (a sort of bank in Quebec), they provided 5 years of free Equifax Premier to all members... Which is kind of pointless as the crims can simply wait out the 4 years before they start abusing the information they got.

[Spotty]

8 minutes ago, TetraSky said:

I wonder what AT&T will do to make this right...

Would you like Option A or Option B?
 

[wanderingfool2]

1 hour ago, leadeater said:

Excuse me what? They were stored reversible why?

While strictly speaking a passcode (in terms of phone companies) don't have to be reversable, I think the concept is it's a whole lot more helpful if they are. [Noting passcode being different from the password]

 

The only times I ever encounter a passcode with phone providers is when making changes/accessing information to the account and am talking to a human.  So for them it's helpful for them to actually see the passcode (in the event someone is getting really close but not quite correct).

 

I know they could in theory just keep typing in the guess, and verifying but figuring out how close someone was can also determine whether or not the end user trusts accepting multiple passwords.  As an example, one of my former work passcodes was setup by a former employee and wrongly documented...now yes I could have gotten it reset, but that's a whole other set of procedures which would have taken up at least half an hour [of not just my time but required proof of someone who is documented from the company as being in a position, like the president or the owner]

 

Anyways, not wanting to go that route, I talked to the employee and was able to say the documented passcode.  I was phoning from the number itself, and had all the other information, so they accepted the "wrong" code because the middle two numbers were transposed.  I had actually asked them about it, and apparently it was quite common as well for people to get the passcode mostly correctly [where sometimes it was when they originally setup the passcode it was typed in wrong]

 

So I can understand why the passcode was in a reversable form, especially given it's used similar to a pin rather than a password.

 

 

With that said, the SSN seems quite the overreach for a phone company

[leadeater]

54 minutes ago, wanderingfool2 said:

While strictly speaking a passcode (in terms of phone companies) don't have to be reversable, I think the concept is it's a whole lot more helpful if they are. [Noting passcode being different from the password]

The only times I ever encounter a passcode with phone providers is when making changes/accessing information to the account and am talking to a human.  So for them it's helpful for them to actually see the passcode (in the event someone is getting really close but not quite correct).

Ah so the AT&T passcode is identification verification if you ring up and you tell them that? OK yea that would have to be stored reversible.

 

I guess pitchfork down 

 

I can't remember which company I called but they do it by pressing numbers on the phone, they transfer you to a verification line and you enter the numbers via dialed numbers and it checks it that way, means you can use one way hashing.

[wanderingfool2]

15 minutes ago, leadeater said:

Ah so the AT&T passcode is identification verification if you ring up and you tell them that? OK yea that would have to be stored reversible.

 

I guess pitchfork down 

 

I can't remember which company I called but they do it by pressing numbers on the phone, they transfer you to a verification line and you enter the numbers via dialed numbers and it checks it that way, means you can use one way hashing.

At least from my brief understanding of it [based on my experience with Canadian Providers], I believe it's the case.  I mean I could be wrong, but given it's only 4 digits anyways it's not too much of a risk since a large chunk of people will just put in their year of birth or street address.

 

My biggest pitchfork up is that the SSN, name, phone number and address were compromised...at that stage it would be easy enough to assume someone's identity [or pull off more intricate scams].  [Like the one where they request reset Apple passwords 100's of times, call with a spoofed number matching Apple tech support, and then provide all the information like SSN number, address and name that would convince the person it's a valid caller]

[leadeater]

10 minutes ago, wanderingfool2 said:

My biggest pitchfork up is that the SSN, name, phone number and address were compromised...at that stage it would be easy enough to assume someone's identity [or pull off more intricate scams].  [Like the one where they request reset Apple passwords 100's of times, call with a spoofed number matching Apple tech support, and then provide all the information like SSN number, address and name that would convince the person it's a valid caller]

I like how in my country our equivalent to SSN is entirely worthless for identification in any way, it's only used for tax purposes and isn't a form of accepted identification nor ever ask as part of any process to prove identity. SSN itself just seems flawed to me, but a well, can't be changed now (ignoring epic hard effort to do so).

 

Edit:

You also don't need to give it to get:

• Drivers license
• Bank account
• Credit card
• Finance/Store personal loans

[Kid.Lazer]

4 hours ago, TetraSky said:

Why does AT&T even have social security numbers of people... It's weird how Americans are giving their unique identification numbers that can't be changed easily to whichever company that asks for it, when it should really only be given to your employer, your bank and the government. Or at least, that's how it is in Canada.

Unfortunately, it's just the nature of the beast. Whether or not it's a dumb policy is irrelevant since it's practically required to perform any sort of business anymore. Kind of like having a good credit score. It's a ridiculous game you have to play with banks and credit agencies, and yet it's near impossible to do business without it unless you have access to gobs a cash (and even then, you'll be questioned hard as to WHY you have gobs of cash).

[Lurick]

@wanderingfool2 and @leadeater

The understanding is correct, the passcode just a 4 digit pin as additional verification that you're the account holder and authorized to make changes.

[ARandomPerson]

      From someone I know who works for AT&T, the messaging from the higher-ups about the cause of the outage was inconsistent and contradictory, so this news is not surprising; it is just disappointing. I guess we all have to have an eagle eye on all data. And if you are an employee, congrats! Your SSN might also be compromised, and we all know how easily THAT can be fixed (For those outside the US, your SSN is your Social Security Number, and it is linked to your retirement fund. On top of being an unsecured set of numbers, it also unofficially has the role of your Government ID, and losing it once will follow you for years to come)

 

Congrats AT&T, you punished your former and current customers, as well as your employees, for entrusting their data with you. Hey, at least you gave us $5, so I guess everything is fine.

[Donut417]

8 hours ago, TVwazhere said:

Most concerning is the leak of Social Security numbers and dates of birth. 

 

Eh. Equifax already leaked half of American's social security numbers. Thats why I keep my credit on Deep Freeze. T Mobile has already been breached like 5 times. Comcast got breached last year. It was only a matter of time for AT&T.

[Mark Kaine]

7 hours ago, TetraSky said:

Why does AT&T even have social security numbers of people... It's weird how Americans are giving their unique identification numbers that can't be changed easily to whichever company that asks for it, when it should really only be given to your employer, your bank and the government. Or at least, that's how it is in Canada.

 

I wonder what AT&T will do to make this right... When we had a leak with Desjardins (a sort of bank in Quebec), they provided 5 years of free Equifax Premier to all members... Which is kind of pointless as the crims can simply wait out the 4 years before they start abusing the information they got.

ironically,  i think its because they don't like passports,  because it hinders their "freedoms" so its much better to give this crucial information of identification to any random instead. xD

 

[Donut417]

11 minutes ago, Mark Kaine said:

i think its because they don't like passports, 

Thats a misconception. The reason most American's dont have a pass port is because our country is so freaken huge we dont need to leave to enjoy a vacation. Secondly if traveling by ship or land we can enter Canada and Mexico if you have a enhanced license which is a lot cheaper than a passport. Thirdly most of us could not afford to travel to the EU or ASIA for that matter. Most of us are what you would call poor.

[Kisai]

11 hours ago, Lurick said:

I got the email the other day, they said only my passcode was impacted but we'll see if that's really the case.

If you've ever had an AT&T Wireless or Cingular account before LTE, your full SSN is in the system somewhere. The question is "which system" is compromised. Because the TDMA system had the full SSN visible to anyone who looked for it, and the GSM system obscured all but the last 4 digits (so you could never look up by SSN.) I don't know AT&T or Cingular's system ultimately was used for the LTE backend, but the reason "no billing/call information" was obtained is because these are generated at the MSC. So there is no way to actually get into this system from a front end compromise. 

 

It's been years, so things could have changed a lot since then.

 

My bet is someone at an outsourcer just captured the endpoint data without anyone noticing from a "web" CRM tool.

[Zodiark1593]

5 hours ago, Donut417 said:

Eh. Equifax already leaked half of American's social security numbers. Thats why I keep my credit on Deep Freeze. T Mobile has already been breached like 5 times. Comcast got breached last year. It was only a matter of time for AT&T.

Hot take. Credit should probably be frozen by default. 

[Lurick]

8 hours ago, Kisai said:

If you've ever had an AT&T Wireless or Cingular account before LTE, your full SSN is in the system somewhere. The question is "which system" is compromised. Because the TDMA system had the full SSN visible to anyone who looked for it, and the GSM system obscured all but the last 4 digits (so you could never look up by SSN.) I don't know AT&T or Cingular's system ultimately was used for the LTE backend, but the reason "no billing/call information" was obtained is because these are generated at the MSC. So there is no way to actually get into this system from a front end compromise. 

 

It's been years, so things could have changed a lot since then.

 

My bet is someone at an outsourcer just captured the endpoint data without anyone noticing from a "web" CRM tool.

Thankfully only had AT&T internet, never an account with the wireless side

[Donut417]

6 hours ago, Zodiark1593 said:

Hot take. Credit should probably be frozen by default. 

The issue with that is its a pain to do stuff. Want to switch cell carriers? You have to remember to unfreeze your credit at all 3 bureau's. Want to rent an apartment? Same thing. Too many businesses expect to be able to run your credit. I think it takes 24 hours to for them to process a credit unfreeze. Then you either have to remember to refreeze it which I think costs $10 per bureau or you can do a temp unfreeze for a number of days.

[leadeater]

2 hours ago, Donut417 said:

The issue with that is its a pain to do stuff. Want to switch cell carriers? You have to remember to unfreeze your credit at all 3 bureau's. Want to rent an apartment? Same thing. Too many businesses expect to be able to run your credit. I think it takes 24 hours to for them to process a credit unfreeze. Then you either have to remember to refreeze it which I think costs $10 per bureau or you can do a temp unfreeze for a number of days.

Credit system is just kinda dumb, here the regulations for loans and credit card applications is an affordability assessment. You have to give proof of employment and what your income is, disclose ALL your expenses and they then run a calculation for what loan amount your can afford at the current interest rates. Don't matter how well, on time or whatever you have been paying your loans/credit etc because you could be neglecting standards of living etc or recent situation change.

 

Credit history is an inaccurate approximation of if you can afford a debt, an affordability assessment is much more accurate. Of course people will, do, complain about banks etc poking their noses in to your financial affairs but the sad reality the majority are just horrible at finances and will go in to debt that they cannot actually afford and will swear the whole time they can.

 

Credit history is really only useful for looking at historical and current non-payment, not a lot else. That's all it is used for here.

 

Like you shouldn't even be able to take out a loan or credit card without current proof of identity that includes a copy of a utility or bank statement within the last 6 months physically mailed to your address plus all the other stuff. There are a lot better ways and factors to prove identity but it seems resistance to improvements and change always wins out due to cost at the expense of the consumer and identity theft/fraud etc.

 

All these regulations and reform changes would take a damn long time and a lot of cost involved but personally I don't see that as a good reason not to do it, it's not like banks and finance institutions aren't making billions in profit every year, they can afford it.

[Zodiark1593]

1 hour ago, leadeater said:

Credit system is just kinda dumb, here the regulations for loans and credit card applications is an affordability assessment. You have to give proof of employment and what your income is, disclose ALL your expenses and they then run a calculation for what loan amount your can afford at the current interest rates. Don't matter how well, on time or whatever you have been paying your loans/credit etc because you could be neglecting standards of living etc or recent situation change.

 

Credit history is an inaccurate approximation of if you can afford a debt, an affordability assessment is much more accurate. Of course people will, do, complain about banks etc poking their noses in to your financial affairs but the sad reality the majority are just horrible at finances and will go in to debt that they cannot actually afford and will swear the whole time they can.

 

Credit history is really only useful for looking at historical and current non-payment, not a lot else. That's all it is used for here.

 

Like you shouldn't even be able to take out a loan or credit card without current proof of identity that includes a copy of a utility or bank statement within the last 6 months physically mailed to your address plus all the other stuff. There are a lot better ways and factors to prove identity but it seems resistance to improvements and change always wins out due to cost at the expense of the consumer and identity theft/fraud etc.

 

All these regulations and reform changes would take a damn long time and a lot of cost involved but personally I don't see that as a good reason not to do it, it's not like banks and finance institutions aren't making billions in profit every year, they can afford it.

I think there’s some room for considering repayment history (someone with really poor organization represents a higher risk, even if they have money, taking it by force is expensive), though can certainly be weighed less. 
 

One aspect in the US that kind of blows a hole in relying on income, is the fact that most people here are employed At-Will, meaning that a borrower may be fired at any time, for any (non-protected) reason, or no reason. Even for someone not necessarily living paycheck to paycheck, an unexpected loss of job can be quite damaging. 
 

If I was a lender, I’d probably want to see adequate cash buffers to weather a storm (which itself can also indicate financial management), as otherwise I’m merely gambling on the borrower still having a job. A second job (or dual-income household) or side hustle would also provide a level of redundancy that reflects lower risk as well. 

If it’s allowed under law, I’d probably factor in general health of the borrower and family members as well. Many bankruptcies occur due to unexpected medical expenses, so a household placing their health first represents lower risk of medical expenses eating their buffers. I may even require a life insurance contract in more severe cases. 

Genetic factors, while tangibly impactful, are probably a step too far. 

[leadeater]

16 minutes ago, Zodiark1593 said:

I think there’s some room for considering repayment history (someone with really poor organization represents a higher risk, even if they have money, taking it by force is expensive), though can certainly be weighed less. 

Well I mean that's what I mentioned, that's all it is used for here. Good "credit" will never get you anything here, bad credit can get you denied but life here doesn't revolve around credit scores and way less things effect it, way less.