The recently disclosed AT&T data breach has been linked to an American hacker living in Turkey, and the telecom giant reportedly paid a significant ransom to ensure that the stolen information would be deleted.
AT&T revealed on Friday that it had suffered a data breach affecting nearly all of its wireless customers. The company said that in April hackers exfiltrated records of customer call and text interactions from May 1, 2022, to October 31, 2022, as well as on January 2, 2023. The data originated from AT&T’s ‘workspace’ on a third-party cloud platform.
The company explained that the compromised records identify other phone numbers that impacted customers interacted with, including call or text counts and call durations. The content of calls or texts, timestamps, and other sensitive personal information was not impacted.
“While the data doesn’t include customer names, there are often ways to find a name associated with a phone number using publicly available online tools,” AT&T said.
The telecom giant also noted that it does not believe the stolen data is publicly available and said it had received information that “at least one person has been apprehended”. AT&T is notifying roughly 110 million customers about the incident.
More information relating to the AT&T hack became available over the weekend. Wired reported that AT&T paid a hacker roughly $370,000 in bitcoin back in May in order to prevent the data from getting leaked. The hacker in question, a member of the notorious ShinyHunters group, provided proof of the transaction, which was also confirmed to Wired by others based on cryptocurrency transfer records.
The hacker reportedly demanded a $1 million ransom from AT&T, but he ultimately settled for far less. The hacker provided AT&T with a video showing that he had deleted the stolen data.
The AT&T customer data appears to come from the Snowflake data storage platform. Hundreds of Snowflake instances, including ones belonging to major companies such as Ticketmaster, Santander Bank, Advance Auto Parts, and Neiman Marcus, were recently compromised through the use of stolen customer credentials. The ShinyHunters group is said to be involved the Snowflake attack.
However, according to information obtained by Wired, John Binns, an American hacker who has been living in Turkey for several years, is also involved in the AT&T hack. In 2021, Binns’ name appeared in the press after he took credit for hacking T-Mobile. He was indicted the following year.
Binns was reportedly arrested in Turkey in May 2024 over the T-Mobile breach, which may be why AT&T mentioned an individual being apprehended in its public statement.
404 Media also learned from multiple sources that Binns is linked to the AT&T hack.
A researcher who uses the online moniker Reddington told Wired that he was contacted in April by Binns, who had claimed to have obtained the call logs of millions of AT&T customers from Snowflake.
Reddington was asked to facilitate a ‘buyback of the data’ with AT&T and he claimed to have also handled negotiations between the hackers and other victims of the Snowflake hack.
AT&T was reportedly supposed to send the $370,000 ransom to Binns, but ended up sending it to a ShinyHunters member due to Binns’ arrest in Turkey.
According to Reddington, Binns and the ShinyHunters hacker stored the full AT&T database on a cloud server from where it was deleted after the company paid a ransom. However, they may have sent samples of the data to multiple individuals before it was deleted.
SecurityWeek has reached out to AT&T for confirmation, but the company declined to comment.
*updated to say that AT&T declined to comment
Related: AT&T Data Breach Update: 51 Million Customers Impacted
Related: AT&T Says Data on 73 Million Customers Leaked on Dark Web
