On March 9, 2023, U.S. telecommunications giant AT&T notified customers of a January data breach in which an unidentified threat actor breached a vendor's system and gained access to "Customer Proprietary Network Information" (CPNI), which it defined as data related to telecommunications services. AT&T did not identify the responsible entity, but specified it was a marketing vendor, disclosing to the media that approximately nine million wireless accounts had their CPNI accessed due to an unidentified vulnerability.
AT&T denied that attackers reached sensitive personal or financial data, such as social security numbers, credit card information, dates of birth, account passwords or SIM/IMEI information. AT&T admitted that the information included customers’ names, wireless account numbers, wireless phone numbers, email addresses, numbers of lines per account, wireless plan subscription details, device information related to upgrade eligibility, past due amounts, monthly payment amounts, and monthly charges or minutes used. While AT&T added that the information was several years old, this type of data could still be misused in further malicious operations.
According to AT&T, the company addressed the issue by confirming that the vendor fixed the vulnerability and notified federal law enforcement about unauthorized CPNI access to comply with U.S. Federal Communications Commission (FCC) regulations. AT&T also advised customers to consider adding its free "extra security" password protection feature to accounts.
During the same month that the AT&T marketing vendor was breached, unidentified attackers accessed the personal information of millions of current customer accounts of AT&T’s competitor, T-Mobile, via its Application Programming Interfaces (APIs). The affected customers were both standard plan subscribers and prepaid accounts. While T-Mobile did not disclose the exact point of access in this breach, malicious actors frequently buy compromised credentials on the underground or bypass authentication protocols to gain unauthorized access to sensitive data. According to T-Mobile, the breach began on November 25, 2022, and the company detected the intruders on January 5, 2023, initiating mitigation efforts the following day.
Similar to AT&T’s contentions, T-Mobile announced that threat actors did not access customers’ sensitive information (driver's licenses, social security numbers, passwords, payment card information, and financial account information) via the exploited API. Threat actors reportedly accessed and potentially stole customers’ names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers, and other account details, such as plan features.
The January breach marked the eighth data breach that T-Mobile suffered since 2018, with a now-inactive extortion gang taking credit for an April 2022 attack leveraging stolen credentials. With regard to AT&T, it denied that it suffered a major breach in 2021 when a well-known threat actor advertised a database that allegedly contained personal information from 70 million AT&T customers.
As the confirmed breaches of AT&T’s marketing vendor and T-Mobile illustrate, threat actors continue to target telecommunications conglomerates, testing their security standards. To that end, multiple threat actors have taken advantage of T-Mobile’s unsecured systems to breach its networks and steal sensitive information, which could be reused in further malicious operations. Based on the intel items in the next section, it appears that threat actors are abusing and trying to profit from AT&T’s stolen data.
Following the January 2023 breach of AT&T’s marketing vendor, a member of a popular cybercrime forum advertised data allegedly sourced from AT&T. In the post below, the threat actor claims to be selling “lookup[s] of email addresses and phone numbers” associated with AT&T from a database that is also for sale. Despite the fact that the timeframe of the threat actor’s post coincides with the period in which AT&T’s marketing vendor was breached, the two events cannot be linked with complete certainty.
According to the threat actor, each lookup sells for $20 of XMR, the abbreviation for Monero, a privacy coin that is harder to trace than cryptocurrencies such as Bitcoin. As the next intel item illustrates, threat actors could use this type of lookup for a variety of nefarious purposes, such as spearphishing and fraud. The post below garnered positive responses from two fellow forum members, both of whom appeared to vouch for the threat actor.
This threat actor is highly active on the cybercrime forum and has claimed in the past to be the developer of a new strain of ransomware. Data from Cybersixgill’s Investigative Portal indicates that this ransomware operation is a single-threat-actor threat actor who leaks data on cybercrime forums instead of a Dedicated Leak Site (DLS) or a Telegram channel, the communication channels of choice for established gangs. In November 2022, this threat actor claimed that they used their ransomware to steal data from high-level U.S. government agencies, but researchers speculated that the breach claims were attempts to lure prospective customers to the threat actor’s Ransomware-as-a-Service (RaaS) program.
This threat actor has also claimed they breached a luxury car manufacturer, a multinational footwear giant, and a Southeast Asian subsidiary of a major beauty products company. Most recently, the threat actor claimed to be associated with a newer group that attacked a municipal healthcare portal that serves a large metropolitan area in the U.S. According to this threat actor, data related to over 150,000 portal users was stolen and being sold, which could implicate federal and state data confidentiality laws, including HIPAA rules and regulations. The exposed data could also be also used in phishing schemes and other forms of fraud.
Figure 1: A threat actor advertises AT&T database lookups on a popular cybercrime forum
In addition to the threat actor’s forum post, Cybersixgill also collected a post from a doxing site that included AT&T data and credited the threat actor as its source. In the post, a user claimed to be exposing a variety of sensitive information, including the victim’s name, emails, and passwords.
The doxer specifically referenced an AT&T leak in relation to some of the data in the dox and credited the threat actor as the source of the AT&T-related information, which includes the victim’s mobile number and carrier, which is AT&T subsidiary Cingular Wireless. This represents one of the potential damaging consequences of data breaches, which include malicious harassment such as doxing. While the doxer may simply seek to embarrass or harass the victim, other threat actors could use the exposed information to commit identity and financial fraud. This type of information could also be used in phishing schemes and social engineering campaigns.
With that being said, it remains unknown whether the information the threat actor provided is actually related to the incident AT&T disclosed on March 9, 2023. Regardless, the dox illustrates the dangerous consequences that can transpire when personal information falls into the hands of threat actors on the underground.
Figure 2: A doxing victim with AT&T data sourced from a threat actor
The breach of an AT&T marketing vendor highlights the potential threat posed by third-party entities with access to sensitive data. If such parties lack proper security practices, client companies and their customers may pay the price. The consequences of a data breach include not only doxing, but other forms of cyber crime and theft.
AT&T may also suffer financial, legal, and reputational damage, even though the vendor may have addressed the vulnerability that led to the breach. After AT&T’s competitor T-Mobile suffered a similar breach, threat actors on the underground ridiculed the company on the underground, calling on the government to fine it for repeatedly exposing customers’ data. As these incidents illustrate, organizations should implement multi-factor authentication (MFA) on all login portals, instruct employees not to click on links/attachments contained in suspicious emails, and update to the latest version of all corporate products to protect against intrusions and data leaks.