AT&T Snowflake Breach - 110 Million Customer Call Records

📅 2024-04-14 🏢 Snowflake (cloud data platform) 🦠 Lumma/Vidar/RedLine infostealers (used to harvest credentials)

Incident Details

Nearly 110 million AT&T wireless customers had call and text metadata stolen — which numbers were contacted, call duration, and for some users cell tower location data. Data covered May 2022 through October 2022 (with some January 2023 records). This is a separate incident from the March 2024 AT&T dark web leak of 73M records. Connor Moucka (alias ‘judische’) and John Erin Binns were charged. AT&T reportedly paid a $370,000 ransom to have a copy of the data deleted. Disclosed under SEC 8-K on 12 July 2024.

Technical Details

Initial Attack Vector: UNC5537 (Scattered Spider) used infostealer-harvested credentials to access AT&T's Snowflake cloud environment without MFA; attackers exfiltrated call and SMS metadata records between 14-25 April 2024
Vendor / Product: Snowflake (cloud data platform)
Malware Family: Lumma/Vidar/RedLine infostealers (used to harvest credentials)

Timeline

2024-04-14 Breach occurred
2024-07-12 Publicly disclosed
2024-07-12 Customers notified