SecureMac, Inc.

Checklist 384: A Very Un-Fun Snow Day

July 19, 2024

AT&T and Ticketmaster data breaches expose millions, highlighting failures in security protocols and the need for robust measures like mandatory MFA.

Checklist 384: A Very Un-Fun Snow Day

Massive Data Breach Hits AT&T: 110 Million Customers Affected

In a recent podcast discussion, it was highlighted that AT&T has confirmed a significant data breach, potentially affecting nearly all of its wireless customers and customers of various mobile virtual network operators (MVNOs). The breach, which occurred between April 14 and April 25 this year, exposed records of customer call and text interactions from May 1 to October 31, 2022, and January 2, 2023. This hack could potentially impact about one-third of the US population.

Scope and Impact

According to a report by The Hacker News, the MVNOs affected include:

  • Black Wireless
  • Boost Infinite
  • Consumer Cellular
  • Cricket Wireless
  • FreedomPop
  • FreeUp Mobile
  • Good2Go
  • H2O Wireless
  • PureTalk
  • Red Pocket
  • Straight Talk Wireless
  • TracFone Wireless
  • Unreal Mobile
  • Wing

The stolen data was stored with Snowflake, a cloud data platform, which previously faced criticism following a separate incident involving Ticketmaster.

Snowflake’s Role and Response

The breach has highlighted issues with Snowflake’s data security practices. TechCrunch reported that Snowflake enables its corporate customers, including telcos like AT&T, to analyze massive amounts of customer data. Snowflake claimed the breach resulted from customers not using multi-factor authentication (MFA), though this was not a mandatory requirement for using the platform.

WIRED further revealed that the hackers behind the Snowflake data theft obtained credentials from dark web services, including those through a third-party contractor named EPAM Systems.

Financial Motivations and Fallout

The financial motivation behind the hack is clear, with demands for ransoms ranging from $300,000 to $5 million. The cybercriminal group, identified by Google-owned Mandiant as UNC5537, operates primarily out of North America with collaboration from a member in Turkey.

Future Precautions

In response to the breach, Snowflake announced it will now enforce mandatory MFA for all users and will soon require MFA for new accounts to mitigate future risks. However, the damage is already done for the millions of consumers whose data has been compromised.

While corporate entities like AT&T and Snowflake navigate the fallout, it is ultimately the consumers who bear the brunt of the breach. With sensitive information stolen and potentially misused, the incident underscores the urgent need for robust data security measures across the board.

Sources: The Hacker News, TechCrunch, WIRED

AT&T Data Breach Exposes Call and Text Records of 110 Million Customers

AT&T recently disclosed a massive data breach that compromised the phone records of nearly 110 million wireless and landline customers, exposing sensitive information and call data. The breach, spanning from April 14 to April 25, revealed records from May 1 to October 31, 2022, and January 2, 2023.

Nature of the Data Compromised

In a statement covered by TechCrunch, AT&T confirmed that the stolen data included phone numbers and records of calls and text messages, detailing who contacted whom. Additionally, 9to5Mac reported that hackers also accessed cell site identification numbers for some communications, potentially pinpointing customer locations within 300 feet.

Scope and Implications

Despite the severity of the breach, The Hacker News clarified that the compromised data did not include the content of calls or texts, nor personal information like Social Security numbers or dates of birth. However, AT&T admitted in a Form 8-K filing with the U.S. Securities and Exchange Commission that publicly available tools could link phone numbers to individuals’ names.

Jake Williams, a former NSA hacker and faculty member at IANS Research, emphasized the gravity of the situation, noting that the stolen data, known as call data records (CDR), is invaluable for intelligence analysis. These records can reveal intricate details about who communicates with whom and when, posing a significant threat to individuals at all levels, from CEOs to senators.

AT&T’s Response and Security Measures

In response to the breach, AT&T has set up an information site offering tips for protecting personal data:

  • Only open text messages from known and trusted senders.
  • Avoid replying to unknown texts with personal details.
  • Navigate directly to company websites instead of using links from text messages.
  • Ensure websites are secure by checking for “https” in the URL and looking for a lock icon.

AT&T assured customers that the access point used in the breach has been secured, emphasizing that protecting customer data is a top priority.

While AT&T works to mitigate the fallout, the breach underscores the need for robust data security practices. With sensitive call and text records exposed, the incident highlights the risks associated with data storage and the importance of maintaining stringent security measures to protect customer information.

Sources: The Hacker News, TechCrunch, 9to5mac

Snowflake Security Lapse Exposes Ticketmaster Data in Latest Breach

In a continuation of data security concerns, the podcast “Checklist No. 378 – Probable Ticketmaster Data Breach” revisited the issues involving Snowflake and Ticketmaster, highlighting failures in multi-factor authentication (MFA) protocols.

Breach Details

Previously discussed was the breach of Ticketmaster’s data, which was facilitated by the lack of MFA or 2FA on their Snowflake account. This security lapse mirrors the recent AT&T breach, raising significant concerns about data protection measures.

Joint Statement and Contradictory Findings

In early June, Snowflake, in collaboration with cybersecurity firms CrowdStrike and Mandiant, issued a statement denying any evidence of vulnerabilities, misconfigurations, or breaches within Snowflake’s platform. They also claimed that no compromised credentials from current or former Snowflake personnel were involved.

However, a report by WIRED contradicted this claim, revealing that hackers had obtained stolen Snowflake credentials through a contractor, EPAM Systems. Using a remote-access Trojan, the attackers accessed an EPAM worker’s computer, uncovering unencrypted usernames and passwords used to manage EPAM customers’ Snowflake accounts, including Ticketmaster’s.

Criticism and Security Implications

The podcast criticized both Ticketmaster and Snowflake for their security oversights. Snowflake faced additional scrutiny for not mandating MFA, especially given the volume of sensitive information handled by their servers.

This incident underscores the need for robust security practices, particularly for companies managing large datasets. Implementing mandatory MFA is a critical step to prevent similar breaches in the future.

The repeated data breaches involving major companies like AT&T and Ticketmaster highlight significant gaps in cybersecurity protocols. As sensitive information continues to be at risk, the responsibility falls on both service providers and their customers to enforce stringent security measures.

Sources: SC Magazine, WIRED, CrowdStrike, Mandiant

Filed under Security News, The Checklist Podcast by SecureMac

Latest Security News

Get the latest security news and deals