New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
AT&T says hackers stole records of nearly all cellular customers' calls and texts
The data contains records of calls and texts between approximately May 1 and Oct. 31, 2022, and on Jan. 2, 2023.
Hackers stole six months' worth of call and text message records of nearly every AT&T cellular network customer, the company said Friday, a breach that has the potential to reveal sensitive information about millions of Americans.
The company said in an SEC filing .....
"AT&T's wireless network has 127 million devices connected to it, according to the company's 2023 annual report."
Thanked by 110thHouse
Comments
You secured, lock-up your phone using(antivirus, fingerprint,pin,password.., used all kinds of prevention's and experts recommendation ...This data breach is alarming, all the naughty and personal stuff at the hands of criminals., Nothing is secure on the jungle call Internet.
It would be interesting to know what records refers to in this context. Is it just metadata or full content and all that?
If you would have done what the experts recommend the attacker would have nothing from you because you would do all naughty personal stuff over signal and/or threema and don't use sms for 2FA.
Yeah, SMS is inherently insecure and can be (relatively) easily intercepted anyways. I don't 100% agree on not using SMS for 2FA though. As long as you aren't a high profile target chances of someone making the effort to intercept your messages is pretty low and if some 2FA codes leak later on (if it's really content that was leaked - i'm pretty sure that - at least officially at the provider - only metadata is stored) they are worthless anyways. Another approach would obviously be better but SMS 2FA still isn't the end of the world.
Sorry but nope, SMS 2FA is a burning pile of garbage. There are technical ways https://www.ccc.de/en/updates/2024/2fa-sms and it is a common service in cybercrime to offer sim swap as a service and they do that in bulk, not just on high profile targets
Maybe if we are lucky they will leak some internal info about gov spying but they probably thought to actually secure that.
Yeah, i know that but the whole social engineering shtick is not something you want to run against random targets (i mean how would that look like? a whole call center phoning the service line of mobile provider X 24/7 asking for replacement SIMs bundled with a fleet of couriers fishing them out of peoples letterboxes? besides it also depends a lot on the security protocols of the given providers) let alone actual interception. From quickly skimming the link you posted it doesn't seem like it really says a whole lot about SMS specifically but rather that some provider for 2FA services had a leak - hardly the fault of SMS.
Like i've said, i fully agree that it's not ideal but combined with a number that isn't used at every corner of the internet i still wouldn't lose sleep over it and relying on smartphones for authentication (a huge percentage of which are security timebombs in their own right) comes with its own set of problems and dangers. What i'd really like to see is an actual standalone hardware solution like chip-TAN that would be a notable step forward but then a lot of accounts don't need 2FA anyways.
Nearly all AT&T subscribers’ call records stolen in Snowflake cloud hack
Six months of call and text records taken from AT&T workspace on cloud platform.
https://arstechnica.com/tech-policy/2024/07/nearly-all-att-subscribers-call-records-stolen-in-snowflake-cloud-hack/
But you'll get a $0.22 settlement in a few years, so it's okay.
That pretty much sums it up. The lawyers get $22 mil and you get $.22 cents.
Thanks, so it's really just metadata after all, no contents or anything.
As always, the best way to prevent data leaks is not to store or collect data in the first place, whenever possible.
Well, the good thing is that sheer volume of data guarantee safety of privacy due to the fact that no one will care about you.
I wish... I try really hard not to use telephone numbers for 2FA, unfortunately it simply isn't an option..
I have exactly two organizations that will call or send SMS when I try and login.. One of them has introduced RFC6238 but sometimes still wants to send me an SMS message, and it is always available as a backup anyways, they won't let me remove it..
The second started middle of last year, not allowing any actually secure methods of 2FA..
The second one I am using less as time passes with the idea of dropping them completely in the future.. The first, I keep hoping they will soon allow me to remove my telephone number.
I don't have an alternate available for the first organization.
Using telephone numbers for 2FA isn't going away until courts hold the companies responsible for just having security theatre. It allows them to point-the-finger at someone else when SHTF. "It isn't our fault that your account was emptied, it was [insert telephone comany name]'s fault, they let your number be ported.'
Yes it is, you shouldn't be using telephone numbers for security, they are not secure.
They will still tell you to talk to your telephone company about whatever has been lost.
Telephone number for security is only about the extra data-points they get to collect, having that data, is worth more than they spend to send SMS and telephone calls.. RFC6238 is much, much cheaper to offer (free, it is just math), companies don't spend money unless there is a return on it.
Sakkurity at work!
A friendly service of your(?) governments and the mega-corporations.
Footnote 4266, page 114 in Arial 4 pt, light gray: In the event that we develop an actually secure protocol, device, algorithm or other artifact or construct, we reserve the right to exclusively reserve it for and use it ourselves.
Update News:
AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records
A security researcher who assisted with the deal says he believes the only copy of the complete dataset of call and text records of “nearly all” AT&T customers has been wiped—but some risks may remain.
US telecom giant AT&T, which disclosed Friday that hackers had stolen the call records for tens of millions of its customers, paid a member of the hacking team more than $300,000 to delete the data and provide a video demonstrating proof of deletion. ...
https://www.wired.com/story/atandt-paid-hacker-300000-to-delete-stolen-call-records/#intcid=_wired-right-rail_bdaa2eae-2ccb-43a6-a6ab-cb5388110999_popular4-1-reranked-by-vidi
The lesson is always have backups..