[HN Gopher] Inside the Massive Alleged AT&T Data Breach
___________________________________________________________________
Inside the Massive Alleged AT&T Data Breach
Author : gulced
Score : 218 points
Date : 2024-03-19 10:19 UTC (12 hours ago)
(HTM) web link (www.troyhunt.com)
(TXT) w3m dump (www.troyhunt.com)
| bloopernova wrote:
| Have any corporations previously tried to deny they were
| breached?
|
| I'm wondering what AT&T thinks they'll achieve? If they're lying,
| that is.
| ActionHank wrote:
| I think that they realise that they can shift the burden of
| proof onto the accusers and call it a day. Unless the people
| behind the breach actually claim responsibility and allege it
| was AT&T that was breached, it's near impossible for anyone to
| prove them wrong.
| supertrope wrote:
| The legal and PR teams just stick their heads in the sand.
| For example one could say "While there was unauthorized
| access there is no evidence that any personal information was
| taken." There's zero incentive to confirm the extent of PII
| leaks as it just triggers more liability and regulatory
| scrutiny.
| toomuchtodo wrote:
| This seems to me like it becomes securities fraud if
| they're lying due to new SEC cyber disclosure regs.
|
| https://www.sec.gov/news/statement/gerding-cybersecurity-
| dis...
| ActionHank wrote:
| There will be no paper trail of them even looking, it's
| not lying if they don't see any proof and didn't look.
| toomuchtodo wrote:
| Someone is always unsophisticated enough to leave an
| email paper trail. The necessary incantation is
| "litigation hold."
| humansareok1 wrote:
| Everything is securities fraud so this is a low bar.
| bbarnett wrote:
| You're a securities fraud, you are!
| explorigin wrote:
| Theory: AT&T has a known relationship with the NSA. Maybe the
| leak was due to an NSA screw-up. In that case, they're telling
| a half-truth but wouldn't be allowed to tell the whole truth.
| azinman2 wrote:
| The NSA screwed up and it ended up in the hands of someone
| who routinely hacks into large corps?
|
| This doesn't pass the basic smell test. I really don't want
| HN to fall down the conspiracy hole that much of the internet
| now has. It's eating away at our societal fabric and is wrong
| 99.9% of the time.
| lionkor wrote:
| Theory: Someone at AT&T suffered a traumatic brain injury,
| posted all this data, forgot about it, quit, and is now
| living in a cottage somewhere in the mountains of Canada.
| alephnerd wrote:
| Fake news. A Texan can't survive the freezing winters in
| Banff. /s
| ethbr1 wrote:
| Since there's no required data custody trail (hint, hint:
| should be required in privacy legislation!), we'll never know.
|
| But I expect the simplest explanation is, as the article
| posits:
|
| 1) ATT contracts out portions of its business operations to
| third parties.
|
| 2. Those third parties, in the course of their business,
| require and have access to customer information.
|
| 3 - One of those third parties was breached.
|
| #4 ATT may or may not know. (Or may deliberately be not-asking
| their contractor)
|
| Presto! Security by ignorance!
|
| Given the access to SSNs, I'd assume something to do with
| private credit scoring.
| Workaccount2 wrote:
| My guess, with AT&T being an enormous and ancient corporation
| long past it's glory days, is that internally its a stale mess
| serviced by people unwilling to dive into it.
|
| The breach did happen, but things under the hood are so bad
| that they have no idea it happened. The layers of incompetence
| and don't-give-a-fuck completely obscure the evidence. The IT
| team, staffed mostly by young green cards who weren't even in
| this country 3 years ago, stare blankly at AT&T's internal
| auditing system developed in the 90's with a long dead and
| strictly proprietary language. Doesn't matter because the
| system didn't even catch the breach anyway. As you move up the
| chain, people just get more divorced from reality as they live
| in the delusion of AT&T still being a forefront technology
| company. So of course the breach didn't happen to them.
|
| At least that it my theory.
| alephnerd wrote:
| Your theory is wrong.
|
| I've sold and managed products that AT&T's various security
| organizations use organization wide and have helped them with
| some scares.
|
| Without going too deep (and entering NDA breaking territory
| with ATT and former employers), I'll say I'm very confident
| about their internal security posture.
|
| Also, a lot of the insinuations in your post are just plain
| racist and insulting.
|
| Trust me, don't trust me. Idc. It's the internet.
| Workaccount2 wrote:
| So you are confident that they didn't leak this data?
|
| Also, young green card in this context is synonymous with
| cost cutting. Young being inexperienced, green card being
| cheap. I apologize if you racially identify as green card.
| haliskerbas wrote:
| You could have just said cheap and or inexperienced.
| Adding "green card" and the part about not being from
| here adds a layer of political and racial under tone even
| though green card isn't necessarily a race.
|
| When they called me curry girl it was a racist remark
| even though curry is not a race.
| Nextgrid wrote:
| Green card/implication of foreign labor does add an extra
| bit of information beyond just inexperience - it's that
| they are likely to be less acquainted with the
| laws/regulations which means they can be convinced to do
| illegal things and are less likely to know their rights
| and stand up to bad/illegal treatment by their employer.
| dogtierstatus wrote:
| Your theory is definitely plausible.
|
| Source: Worked sometime for a subcontractor of a
| subcontractor of AT&T from a third world country.
| Nextgrid wrote:
| That is correct. This kind of large legacy company has zero
| engineering culture. Engineering is not rewarded nor
| empowered to do its job well and is sometimes seen as a
| threat (engineering working _too_ wall = entire departments
| could become redundant), which means nobody competent joins
| /stays there and only mediocrity remains.
| bombcar wrote:
| Maybe we need a financial system where an unchangeable nine digit
| number is the passcode to unlimited credit. Maybe "instant
| credit" isn't something we actually need as a society so we can
| have some more checks and balances. Maybe people shouldn't be on
| the hook when banks idiotically loan to anyone with the magic
| number.
| BramLovesYams wrote:
| But if we did that financial executives won't be able to afford
| that 5th vacation home! I'll stay here in the muck with my
| stolen identity incurred debt thank you very much. One day I'll
| tug these bootstraps hard enough.
| pionar wrote:
| I got a notification from HIBP about this with my email address.
| I'm not currently an AT&T customer, but I was a customer of them
| back in 2015-2017 for AT&T UVerse.
| najarvg wrote:
| Then likely your account info is exposed. I know a couple of
| former AT&T U-verse subscribers (not current) who's account
| info including SSN have been exposed
| zhaso wrote:
| I got an interesting scam attempt the other day which was very
| similar to the one described in this AT&T forum post:
| https://forums.att.com/conversations/wireless-account/call-f...
|
| Seeing this now, it makes a lot of sense how the scammers would
| know to target me.
|
| tl;dr is that some scammers knew I had an AT&T account, and
| called posing as some AT&T branch that could only speak Chinese
| (ostensibly serving NYC Chinatown). I think they're targeting
| 2nd-gen Chinese speakers and forcing them into likely broken
| Chinese to throw them off guard.
| Izkata wrote:
| I've been with AT&T since they merged with Cingular in 2004-2006
| or so, and according to https://haveibeenpwned.com/ I'm not
| included in this dump. However I didn't split my account from my
| parents until 2021 or so, so I'm not sure if I would have been or
| not if this was from before then.
|
| Edit: My parents' email addresses aren't showing this dump
| either. Looks like we weren't included at all, so it can't just
| straight be all AT&T customers.
| onedognight wrote:
| I too have been with AT&T since the Cingular merger and am also
| not in the HIBP db. I use a custom email address related to
| Cingular, which I otherwise would have forgotten existed.
| nzealand wrote:
| I've been with AT&T forever, I've used a custom email address
| for AT&T since forever, and my email address is also not in
| the dump (I have a Premier account.)
| EvanAnderson wrote:
| Same here. My 2004-era Cingular-specific email isn't in HiBP.
| nickburns wrote:
| keep in mind that HIBP doesn't offer any bare name, physical
| address, phone number, social security number, or birthdate
| lookup (at least as far as i can tell). i would take its
| utility regarding this breach with a grain of salt, and query
| the actual raw dataset if i wanted to be absolutely sure.
| Izkata wrote:
| According to the article:
|
| > As of now, all 49M impacted email addresses are searchable
| within HIBP.
| nickburns wrote:
| and what about accounts that never furnished an email
| address? unassociated/orphaned/duplicate/etc. datapoints?
|
| full disclosure: i have not seen the raw dataset.
| Izkata wrote:
| I think I'd know how I sign into the website.
| EricE wrote:
| Just checked and I'm not in it either according to
| havibeenpwned.com, but was an AT&T customer for over 15 years
| and only recently stopped being an active customer.
| observationist wrote:
| Your link is mispelled - HAV ibeenpwned and not HAVE
| ibeenpwned.com. It links to a malicious site.
| dylan604 wrote:
| This is always my first concern anytime I want to register
| a domain. How much is it worth to me to also register
| variants of it just to protect against this. It used to be
| just own all the TLDs, but now we have common typos as well
| just to protect your brand. For a money generating company,
| a few hundred monetary units annually isn't too bad, but
| sheesh just another example of people are assholes!!
| alphabettsy wrote:
| It could be AT&T wireline/fiber only or something.
| ttehr wrote:
| That looks to be the case since I'm not an AT&T wireless
| customer, but am a user of their fiber services.
| aaronharnly wrote:
| According to this chart (whose source you have to pay to see,
| so unknown reliability), ATT Wireless has had well north of
| 150m customers in the date range in question, so it wouldn't be
| all of them./
| cptskippy wrote:
| I use a different email address for every service. I can confirm
| that my att@ email is in the dataset. So the data originated from
| AT&T.
| TheDong wrote:
| I think what AT&T is saying is that it wasn't taken from AT&T
| servers. Rather, AT&T gave the data to some third-party data-
| processor (i.e. to some ad company), and that company then lost
| it.
|
| ... Honestly, that shouldn't really make us feel any better
| about them though, like why would AT&T give out data that
| includes SSNs to third-party data-processors.
| bearjaws wrote:
| If this is true, and they sent SSN willingly to random third
| parties, they should be forced to pay for a decade of credit
| monitoring.
| Dalewyn wrote:
| I'm pretty sure I have several lifetimes' worth of free
| credit monitoring with all the breachleaks happening all
| the damn time, if I could be arsed to redeem them.
| cptskippy wrote:
| It would be nice if they just automatically signed you up
| for them. They already have and leaked your PII...
| SteveNuts wrote:
| How long until we see speculators opening life insurance
| policies for people based on breached PII and PHI?
|
| "This guy looks like he could drop dead any minute, let's
| put a million dollars on him"
| GrinningFool wrote:
| That would mostly benefit the monitoring services, and
| still leave each individual customer on the hook to fix the
| issues this caused for them.
|
| "free credit monitoring" should not be a considered a valid
| solution to "oops we leaked your private data".
| addandsubtract wrote:
| That's almost worse than leaking it themselves. There's also
| no excuse for sharing that data.
| michaelcampbell wrote:
| Indeed, AT&T is more concerned about BEING breached as a
| first order than data under their responsibility got out...
| anywhere.
|
| I doubt anyone affected will care about any such distinction.
| butlike wrote:
| But the static pieces of information like address, phone
| number, etc. can carry over between services. Is there any
| reason to suspect a Frankenstein breach, where only the
| subscriber email list was leaked, and the other data was
| correlated into personas, giving the impression it all came
| from one source?
| cptskippy wrote:
| They would need more than an email address to make a
| meaningful match in this case, since we're stating the email
| is unique to AT&T.
|
| That being said, I've never heard of hackers performing
| Master Data Management but I guess it's possible. I'd hope
| they'd use something other than full name for their
| matches...
| m463 wrote:
| Same here. and I gave my name to them in a particular unique
| way. I have been getting phisting emails to that name and email
| addresss for a while now.
| toast0 wrote:
| My att@ address is also in the data set. I've used AT&T
| wireless, landline, and u-verse/fiber, all in California, but
| didn't think to use different addresses for them [1].
| Additionally, in May 2023, someone attempted to open a Bank of
| America account using my att@ email address and presumably
| other details from the data. So that was fun.
|
| [1] maybe the wireless was with cingular@ though, I think I
| signed on before AT&T reassembled, like the T-1000.
| lionkor wrote:
| I didn't now that subscribing to HIBP is free! Just for anyone
| else who assumed it would (maybe could) cost money
| crotchfire wrote:
| if you aren't paying for it then _you_ are the product being
| sold
| janwillemb wrote:
| How do you think this works in case of HIBP?
| Shrezzing wrote:
| To an extent, we're all the product on HIBP. The site runs
| commercial subscriptions, where services pay some nominal
| fee to find out if its users are reusing a password they
| used on NeoPets 20 years ago. The site also runs some
| advertising. Irrespective of how optimised the application
| is, it has infrastructure and staff costs which need to be
| paid for in some way.
|
| There's 13bn leaked accounts on the site, and although Hunt
| does appear to run the site entirely selflessly with
| little/no profit motive, there is at least some
| commercialisation of the accounts listed bringing in
| revenues to cover its costs.
|
| It's free for us because somewhere in the chain, someone is
| paying for data about us - even if their use-case isn't
| nefarious.
| mixologic wrote:
| I own my own domain name, and 28 variations of my email
| address have appeared in various breaches. In order to
| search and receive alerts for my domain, i had to sign up
| for a 16$/mo service.
|
| It's not free unless you just have one email.
| Trellmor wrote:
| HIBP has a domain search [1] that's free.
|
| [1] https://haveibeenpwned.com/DomainSearch
| butlike wrote:
| who cares
| mmsc wrote:
| If there is evidence that AT&T's DirecTV was breached in 2021,
| what could the repercussions for them be?
| annoyingnoob wrote:
| I've had cell service with ATT since at least 1998, with the same
| email address the entire time. I do not use any of ATT's other
| services, never have. I am not on this list.
| x86a wrote:
| Same here, and my personal email is also not in the list.
|
| However, my former work email, that I used to sign up for both
| U-verse fiber and a corporate mobile account, is on the list. I
| suppose that all happened in 2016-2018.
| sargun wrote:
| I find it funny that companies like AT&T and Equifax are barely
| scrutinized for their data handling practices compared to the
| Amazon and Googles of the world. I wonder why that is.
| thePhytochemist wrote:
| Yes! Equifax has very lax security. Last year they leaked my
| social insurance number to a fraudster. When they were
| describing this on the phone they didn't seem to think they did
| anything wrong. What makes it worse is I never even gave it to
| them - they just get it straight from the government I guess?
| pksebben wrote:
| They get it all kinds of ways. There's a podcast on their big
| breach that talks about some of them -
| https://spokemedia.io/breach/
| pksebben wrote:
| My first instinct was lobbying spend, but Amazon and Google
| show up in the top 20 and Equifax isn't on the list (although,
| I have my suspicions that the numbers here aren't necessarily
| the whole picture. Financial chicanery is a whole industry,
| after all). [1]
|
| I can imagine, though, that hiding information is a lot easier
| when you're less often in the public eye. Amazon and Google,
| through their ubiquity, have a higher hill to climb when it
| comes to avoiding scrutiny.
|
| 1 - https://www.opensecrets.org/federal-lobbying/top-spenders
| bashinator wrote:
| Just once, I wish a journalist would ask for a clarification wrt
| absense of evidence. "Are you saying you don't know or have no
| way of knowing whether there was a data breach?"
| smarx007 wrote:
| I think encrypted DOBs and SSNs are the smoking gun. There may be
| no way to prove that '1996-07-18' DOB came from AT&T but it's
| quite hard to deny that the encrypted value
| '*0g91F1wJvGV03zUGm6mBWSg==' was produced by their systems (or
| not).
| nickff wrote:
| I don't understand this comment, you say the encrypted values
| "are the smoking gun", then at the end you say "(or not)". Are
| you saying this happened, and the encrypted values show it, or
| are you just saying that they seem like evidence either way?
|
| Even if we had AT&T's keys, I think it might be non-trivial to
| verify that they correspond to this data, depending on how AT&T
| encrypts.
| smarx007 wrote:
| > Even if we had AT&T's keys, I think it might be non-trivial
| to verify that they correspond to this data
|
| What I was trying to say is that if AT&T systems (or a
| backup) contain that exact encrypted value (no need for a
| decryption key), it's a near-certain proof that the data came
| from their system.
|
| > then at the end you say "(or not)".
|
| Well, only AT&T DBAs/SREs should be able to confirm what I
| wrote above and I don't want to accuse anyone without proof.
| Same reason why Troy Hunt wrote "allegedly".
| nickff wrote:
| The original comment comes off a bit more like an
| accusation with an escape clause. I'd agree that if the
| leaked data contains exactly the same information as the
| alleged source's servers, it would be evidence of the
| veracity of its source, but that has nothing to do with
| whether or not the data is encrypted.
| smarx007 wrote:
| I beg to differ. If the PII in the leak matches what's in
| AT&T DBs, they can still maintain plausible deniability
| that there is no proof the PII leaked _from them_. An
| encrypted DOB requires the DOB and an encryption key. The
| latter shall be unique and securely stored in their
| system and that 's why I referred to presence of the
| encrypted data specifically as a smoking gun.
| athenot wrote:
| I use unique email addresses for each company; the one I
| use with AT&T (and only them) is in the dump. So I know
| at least the email was leaked from them.
|
| Of course that doesn't say anything about the other PII
| but at this point, I figure my PII has already been
| leaked multiple times.
| lulzury wrote:
| Consider getting in touch with your senator or representative [0]
| and also the FCC [1]. The recent changes we're seeing in other
| areas of the federal government give reason to stay a bit hopeful
| that the treatment of these kind of breaches don't stay the norm.
|
| Lack of stewardship for folk's data should not just be the "cost
| of doing business".
|
| [0] https://www.usa.gov/elected-officials
|
| [1] https://consumercomplaints.fcc.gov/hc/en-
| us/articles/8824334...
| AtNightWeCode wrote:
| I have not really thought this through but maybe there could be a
| forced requirement to add a watermark to the data when storing
| sensitive PII.
|
| Hackers could then use the watermark to prove the authenticity of
| the data and users could use it to check if their data have been
| breached.
| 404mm wrote:
| One of my email addresses is listed in HIBP under the ATT leak. I
| haven't had this address with ATT in 2021 and probably many years
| before that. Either the data doesn't come from ATT or it's really
| old. Unfortunately I cannot see the other details.. address would
| be a good point in time reference.
| pjungwir wrote:
| > I've personally also used identity theft protection services
| since as far back as the 90's now, simply to know when actions
| such as credit enquiries appear against my name.
|
| I've always thought companies offer those for ulterior motives,
| e.g. maybe they get a fee for giving the protection service
| future customers. Do others use them? Maybe I've been wrong here.
| ergonaught wrote:
| HIBP notified me I'm in this, but I haven't been an AT&T customer
| since early 2017.
|
| Would love to see what's in it but, eh.
___________________________________________________________________
(page generated 2024-03-19 23:01 UTC)