In an email sent to AT&T customers yesterday, the company clarified there is “no current indication of any public release or illegal use of your data,” and that though “the data included the phone numbers of your call and text interactions from May 1, 2022 to October 31, 2022,” it did not include “the content of calls or text messages, nor personal information.”
Colin McA is a security software developer and the host of the podcast The Daily Decrypt, which delivers shortform cybersecurity news. Colin says the AT&T breach is part of a larger problem.
“In the last couple of decades, there’s been a really big push towards the cloud,” said Colin, “The reason being is: it’s cheaper, it’s more flexible, and it’s, quote, ‘More secure.’”
But when companies – and individuals - store data in a third-party cloud storage platform, they’re no longer the only party responsible for the security of that data. AT&T, along with fellow data breach targets Advance Auto Parts and Ticketmaster, stored data in the cloud service provider Snowflake, which did not require users to set up two-factor authentication (2FA).
“And, because of that, companies weren’t really thinking about it,” said Colin. “They were just creating these accounts and logging in as mandated by the cloud service provider – which was just usernames and passwords.”
Cybercriminals gained access to Snowflake accounts not through hacking, but by using stolen login credentials purchased from the dark web.
“So, what happens is: you click a phishing link in an email, that downloads what’s called an infostealer malware, that lives on your computer, waits for you to log into anything, and grabs your username and password,” said Colin.
And, without using 2FA, that’s all a bad actor needs to log in.
“If they had two-factor authentication enabled on their Snowflake account, they would have typed in the username, typed in the password, and the user – the actual user – would have received a prompt on their phone to allow this login that they didn’t initiate, which would have stopped the whole thing in its tracks,” said Colin.
But for over 160 companies storing data on Snowflake, this precaution wasn’t enabled. Cybercriminals used this method to obtain customer records from AT&T, Taylor Swift tickets from Ticketmaster, and social security numbers stored by Advance Auto Parts.
(Snowflake now requires all new customers to use 2FA.)
Colin says there are some basic precautions people can take to protect their data, like using messaging services with end-to-end encryption. He also says tech users can be more mindful of how much information they give companies – and whether that information is pertinent to the service they provide. But, ultimately, he says regulation is the best defense to protect user data at large scales.
“We need acts of Congress. The FCC needs to get involved and make sure these companies, first of all, aren’t storing our social security numbers and, second of all, that the places they store them are secure with multiple forms of authentication, preferably physical encryption keys.”