It may be our data, but it’s not our breach – Krebs on Security

Image: Shutterstock.

A cybersecurity firm claims to have intercepted a large, unique dataset containing the names, addresses, email addresses, phone numbers, social security numbers and dates of birth of nearly 23 million Americans. The company’s analysis of the data suggests that it matches current and former customers of AT&T. The telecommunications giant has refrained from saying that the data did not belong to it, but it maintains that the recordings do not appear to have come from its systems and may be linked to a previous data incident at another company.

Milwaukee-based cybersecurity consultancy Hold Security said it intercepted a 1.6 gigabyte compressed file from a popular dark web file-sharing site. The largest item in the archive is a 3.6 gigabyte file called “dbfull”, and it contains 28.5 million records, including 22.8 million unique email addresses and 23 million Unique SSNs. There are no passwords in the database.

Founder of Hold Security Alex Holden said a number of patterns in the data suggest it relates to AT&T customers. For starters, email addresses ending with “” accounted for 13.7 percent of all addresses in the database, with addresses from and – the two AT&T companies – representing an additional 7%. In contrast, Gmail users accounted for more than 30% of the dataset, with yahoo addresses accounting for 24 percent. More than 10,000 entries in the “[email protected]” database list in the email field.

Hold Security found that these email domains accounted for 87% of all domains in the dataset. Almost 21% belonged to AT&T customers.

Holden’s team also looked at the number of email records that included an alias in the username portion of the email and found 293 email addresses with plus addressing. Of these, 232 included an alias indicating that the customer had registered at an AT&T property; 190 of the aliased email addresses were “[email protected]”; 42 were “[email protected]an oddly specific reference to a DirecTV/AT&T entity that included high-speed internet. In September 2016, AT&T renamed U-verse to AT&T Internet.

According to its website, AT&T Internet is offered in 21 states, including Alabama, Arkansas, California, Florida, Georgia, Indiana, Kansas, Kentucky, Louisiana, Michigan, Missouri, Nevada, North Carolina, Ohio, Oklahoma, Tennessee, Texas and Wisconsin. . Almost all database records containing a state designation corresponded to these 21 states; all other states accounted for just 1.64% of registrations, Hold Security found.

Image: Maintain security.

The vast majority of records in this database belong to consumers, but nearly 13,000 of the entries are for legal entities. Holden said 387 of those company names began with “ATT,” with various entries like “ATT PVT XLOW” appearing 81 times. And most of the addresses of these entities are the headquarters of AT&T.

How old is this data? A clue may be in the dates of birth exhibited in this database. There are very few records in this file with birthdates after 2000.

“Based on these statistics, we see that the last significant number of subscribers was born in March 2000,” Holden told KrebsOnSecurity, noting that AT&T requires new account holders to be 18 or older. “Therefore, it makes sense that the dataset was likely created around March 2018.”

There was also this anomaly: Holden said that one of his analysts is an AT&T customer with a 13-letter last name, and his AT&T bill has always had the same unique misspelling of his last name. family (they added yet another letter). He said the analyst’s name is identically misspelled in that database.

KrebsOnSecurity shared the large dataset with AT&T, along with Hold Security’s analysis. AT&T ultimately declined to say whether all of the people in the database are or were at any time AT&T customers. The company said the data appeared to be several years old and “it is not immediately possible to determine the percentage that may be customers.”

“This information does not appear to come from our systems,” AT&T said in a written statement. “It may be related to a previous data incident at another company. It is unfortunate that data can continue to surface for several years on the dark web. However, customers often receive notifications after such incidents, and advice for identity theft is consistent and can be found online.

The company declined to elaborate on what it meant by “a prior data incident at another company.”

But it seems likely that this database is related to the one that was put up for sale on a hacker forum on August 19, 2021. This auction was held with the title “AT&T +70M Database (SSN/DOB)and was offered by ShinyHunters, a well-known threat actor with a long history of compromising websites and developer repositories to steal credentials or API keys.

Image: BleepingComputer

ShinyHunters set the starting price for the auction at $200,000, but set the “flash” or “buy it now” price at $1 million. The auction also included a small sample of the stolen information, but this sample is no longer available. The hacker forum where the ShinyHunters sales thread existed was seized by the FBI in April and its alleged administrator arrested.

But cached copies of the auction, as logged by cyber-intelligence firm Intel 471, show ShinyHunters received bids of up to $230,000 for the entire database before suspending. the sale.

“This thread has been deleted multiple times,” ShinyHunters wrote in their auction thread on September 6, 2021. “As a result, the auction is suspended. AT&T will be available on WHM as soon as they accept new vendors.

The acronym WHM referred to the White House Marketa dark web marketplace that closed in October 2021.

“In many cases, when a database is not sold, ShinyHunters will post it to hacker forums for free,” BleepingComputer wrote. Lawrence Abramswho broke the news of the auction last year and confronted AT&T over the hackers’ claims.

AT&T issued a similar statement to Abrams, saying the data did not come from their systems.

“When asked if the data may have come from a third-party partner, AT&T chose not to speculate,” Abrams wrote. “‘Since this information does not come from us, we cannot speculate on its origin or if it is valid,'” AT&T told BleepingComputer.

Asked to respond to AT&T’s denial, ShinyHunters told BleepingComputer at the time, “I don’t care if they don’t admit it. I only sell.

On June 1, 2022, a 21-year-old Frenchman was arrested in Morocco for allegedly being a member of the ShinyHunters. reports that the accused was arrested on an Interpol “red notice” at the request of a U.S. federal prosecutor in Washington State. suggests the warrant may be linked to a theft from ShinyHunters in May 2020, when the group announced it had exfiltrated 500GB of Microsoft source code from Microsoft’s private GitHub repositories.

“Researchers estimate that Shiny Hunters had access to approximately 1,200 private repositories around March 28, 2020, which have since been secured,” reads a May 2020 alert posted by the New Jersey Cybersecurity and Communications Integration Cella component of the New Jersey Office of Homeland Security and Preparedness.

“While the breach was widely dismissed as insignificant, some images in the directory listing appear to contain source code for Azure, Office, and some Windows runtimes, and concerns have been raised about access to private API keys or to passwords that may have been mistakenly included in certain private repositories,” the alert continues. “Additionally, Shiny Hunters is flooding dark web markets with hacked databases.”

Last month, T-Mobile agreed to pay $350 million to settle a consolidated class action lawsuit over a 2021 breach that affected 40 million current and former customers. The breach was exposed on August 16, 2021, when someone started selling tens of millions of T-Mobile SSN/DOB records on the same hacker forum where the ShinyHunters would post their bid for the AT&T database. claimed three days later.

T-Mobile didn’t disclose many details about the “how” of last year’s breach, but it said the intruder(s) “leveraged their knowledge of technical systems, as well as tools and specialized capabilities, to gain access to our test environments, then used brute force attacks and other methods to force their way into other computer servers containing customer data.

A sales thread related to stolen T-Mobile customer data.

Comments are closed.