A well-known threat actor with a long list of previous breaches is selling private data that was allegedly collected from 70 million AT&T customers. We analyzed the data and found it to include social security numbers, date of birth, and other private information. The hacker is asking $1 million for the entire database (direct sell) and has provided RestorePrivacy with exclusive information for this report.
Update: AT&T has initially denied the breach in a statement to RestorePrivacy. The hacker has responded by saying, “they will keep denying until I leak everything.”
Hot on the heels of a massive data breach with T Mobile earlier this week, AT&T now appears to be in the spotlight. A well-known threat actor in the underground hacking scene is claiming to have private data from 70 million AT&T customers. The threat actor goes by the name of ShinyHunters and was also behind other previous exploits that affected Microsoft, Tokopedia, Pixlr, Mashable, Minted, and more.
The hacker posted the leak on an underground hacking forum earlier today, along with a sample of the data that we analyzed. The original post is below:
We examined the data for this report and also reached out to the hacker who posted it for sale.
70 million AT&T customers could be at risk
In the original post that we discovered on a hacker forum, the user posted a relatively small sample of the data. We examined the sample and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits, as we’ll examine more below.
While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid. Here is the data that is available in this leak:
- Name
- Phone number
- Physical address
- Email address
- Social security number
- Date of birth
Below is a screenshot from the sample of data available:
In addition to the data above, the hacker also has accessed encrypted data from customers that include social security numbers and date of birth. Here is a sample that we examined:
The data is currently being offered for $1 million USD for a direct sell (or flash sell) and $200,000 for access that is given to others. Assuming it is legit, this would be a very valuable breach as other threat actors can likely purchase and use the information for exploiting AT&T customers for financial gain.
Hacker provides RestorePrivacy with additional information
We made contact with the hacker who confirmed that all data is from AT&T customers in the United States. The hacker would not tell us how the data was obtained.
The hacker also told us that he obtained three encrypted strings of data, with the first two being social security numbers and date of birth. He believes the third encrypted string is the user pin, but is not yet sure.
Potential impact for AT&T users
A data breach of this scale is a very serious issue, especially if the data includes detailed private information, particularly social security numbers.
Specifically, AT&T users could be at risk of the following attacks:
- identity theft
- phishing attempts
- social engineering attacks
- hacked accounts
- social security scams
We strongly urge AT&T customers to be vigilant against any suspicious activities and/or compromised accounts on other platforms. The website haveibeenpwned, which is maintained by cybersecurity researcher Troy Hunt, is a useful tool to check if your personal information has been compromised.
UPDATE: AT&T comments on the situation
AT&T has provided us with a comment on the situation, posted below in its entirety:
Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems.
-AT&T Corporate Communications Officer (sent to RestorePrivacy on August 19, 2021).
This is an interesting response. The claim that this was posted in an “internet chat room” is simply not correct. It was posted in a well-known hacking forum by a user with a history of large (and verified) exploits.
ShinyHunters replied to AT&T’s statement by telling RestorePrivacy:
It doesn’t surprise me
I think they will keep denying until I leak everything
ShinyHunters’ past exploits and breaches
We should also point out that ShinyHunters is a well-known threat actor with a laundry list of previous exploits. You can see a small sample on the hacker’s Wikipedia page here. This gives further credibility to the hacker’s claims in light of AT&T’s initial denial. The hacker’s previous exploits include:
- Microsoft – 500 GB of Microsoft source code stolen and sold online
- Mashable – 5.22 GB of company and staff data
- Tokopedia – 91 million user accounts
- Pixlr – 1.9 million user accounts
- 123RF – 8.3 million user accounts
- Wattpad – 270 million user records
- Pluto TV – 3.2 million Pluto TV user records
- Animal Jam – 46 million accounts leaked
- WedMeGood – 41.5 GB of user data
- BigBasket – 20 million user accounts
- Dave.com – 7 million user accounts
- Couchsurfing.com – Data from 17 million users
- Dunzo – 11 GB of company data
- Nitro PDF – 77 million user records
- Bhinneka – 1 million user accounts
- Minted – 5 million accounts leaked
- ProctorU – 444,267 accounts
- Bonobos – Full backup database with 7 million customers and 1.8 million registered users
- Swvl – 4 million users
- Mathway – 25 million records
- Wishbone app – 40 million user records
This list is not exhaustive. You can find more breaches and exploits from ShinyHunters that have been verified and discussed on various hacking forums, particularly RaidForums.
Hacker is willing to work with AT&T on an “agreement”
The hacker told us he is willing to work with AT&T directly if they want the data removed — for a price.
We will continue to monitor the situation and update this article as new information unfolds.
https://thehackernews.com/2021/09/protonmail-shares-activists-ip-address.html?m=1
Protonmail involved
Do you really think he technically ‘hacked’ all these tech companies? Not at all! Humans are the most vulnerable security risk. Most likely it’s a big dude who has got stong connections to senior staff willing to make some extra bucks on the side. This also works for single user data since many companies offer their users to download the collected data. (:
We do so this trend right now where ransomware groups are going directly to employees and bribing them to get inside access to a network.
I reported to AT&T that my phones are being hacked and their security response was somewhat helpful. I believe the data is stolen in the sales process–individuals are selling new customer info as soon as you walk out the door with your new phone. I watched it unfold to the degree: step one, the computer slows down and processing just happens to take long that day for some reason; next another person comes over as if having approval/ input authority or, the customer document leaves the kiosk with sales person to go pick up your equipment. You walk out with an excuse that the contract isnt available they will email it. I’ve experienced these scenarios with T-Mobile, AT&T and when Sprint was only Sprint. I filed complaints with the Secretary of State and FCC.
I’m not surprised at ATT’s response, noting of course the sample data looks like a simple pipe delimited SQL query export… I’m not a white or black hat, just a long time database guy… and this data doesn’t look right.
Assuming the data is valid – the really scary thing is that those encrypted values are really weak. That the Date field has more entropy than the SSN is very odd. Note also the repetitive prefix value in both – this doesn’t make sense, unless the encrypted (not hashed) field were appended.
The data itself – looks more like a translation form. UUencode64 value is a good example… as are a bunch of Unicode Translation forms. This would lend credence to ATT’s version of the story…
shinyhunters has already said that this is not the original format
Hi Sven,
Great article!
When contacting hackers do you let them know it is for journalistic purposes? To know would give some insight into the personalities behind the hack.
When a hacker (credibly) asserts the have breached an organisation and the organisation (credibly) denies the breach how is the truth resolved? Can it be resolved?
Regards,
BoBeX
1. Yes, and usually the players involved will provide information for the story.
2. Yes, it will be resolved when more information comes forward. In this case the sample is relatively small and AT&T was quick to deny it, which is no surprise because this would be very bad for them. But when more data comes out, it should be very clear who is correct.
I reported to AT&T that my phones are being hacked and their security response was somewhat helpful. I believe the data is stolen in the sales process–individuals are selling new customer info as soon as you walk out the door with your new phone. I watched it unfold to the degree: step one, the computer slows down and processing just happens to take long that day for some reason; next another person comes over as if having approval/ input authority or, the customer document leaves the kiosk with sales person to go pick up your equipment. You walk out with an excuse that the contract isnt available they will email it. I’ve experienced these scenarios with T-Mobile, AT&T and when Sprint was only Sprint. I filed complaints with the Secretary of State and FCC.
I forgot to add the facts about how it seems to take 1 full day to notice your phone is being interrogated with glitches like third access, real-time interaction from a backdoor.
I’m sure social media is a good place to observe where the formal networking happens.
You missed a street name in the sample. Second to last row.
Hey thanks, I updated the image and removed the street name.
Leaving the ZIP+4 visible for “Peter” is still enough to find his full name and address, since many of those +4 codes map to a single street name.
A Google search with his first name, the street from his +4, and the town, pulled up his full name and address on the first page of results.
Wow. I did not know +4 is so invasive, but I just tried it and you are correct. I have now updated the image again to remove the +4 zip.