AT&T, one of the largest telecommunications companies in the US, revealed on Friday that it paid over $300,000 to a hacker to delete stolen call records of tens of millions of its customers. The hacker, a member of the infamous ShinyHunters group, received the payment after providing a video showing the deletion of the data.
The hacker, who stole the data through unsecured Snowflake cloud storage accounts, said AT&T paid the ransom in May. He provided cryptocurrency wallet addresses and received the payment of 5.7 bitcoin, worth approximately $373,646 at the time. Chris Janczewski from TRM Labs confirmed the transaction and noted that the funds were laundered through multiple exchanges and wallets.
A security researcher known as Reddington acted as an intermediary in the negotiations. He confirmed the payment and provided proof of his fee from AT&T. Initially, the hacker demanded $1 million, but the final amount was settled at a third of that.
Reddington, who has facilitated several such negotiations, was contacted by an American hacker in Turkey, believed to be John Erin Binns. Binns claimed to have obtained Reddington’s AT&T call logs and millions of other records. After verifying the breach, Reddington alerted security firm Mandiant, which then informed AT&T. The company acknowledged learning about the breach in April in a regulatory filing.
AT&T is among over 150 companies targeted in a spree of breaches involving poorly secured Snowflake accounts. The hackers exploited these vulnerabilities to steal data from several firms, including Ticketmaster, Santander, LendingTree, and Advance Auto Parts.
Reddington explains that the breaches likely began with Ticketmaster’s account, which led the hackers to target other Snowflake accounts using stolen credentials. The stolen AT&T data included call and text metadata, such as phone numbers, communication dates, and call durations, but not the content of calls or messages.
Despite AT&T’s efforts to mitigate the breach, including paying for the deletion of the data, some risks remain. Reddington believes the complete dataset was deleted, but it is unclear how many partial copies might still exist.
The hacker who received the payment claimed that Binns was responsible for the breach. Binns, however, was arrested in Turkey in May for an unrelated 2021 data theft from T-Mobile. This information aligns with AT&T’s SEC filing, which mentioned that at least one person involved in the breach had been apprehended.
Binns, who has had several interactions with US authorities and has made various claims about being targeted by the CIA, was indicted on 12 counts related to the T-Mobile hack. His unusual behavior and allegations of being influenced by a brain implant suggest a complex and troubled individual.
As AT&T disclosed the breach to the public and the SEC, it highlighted the ongoing challenges of cybersecurity and the lengths companies must go to protect sensitive customer data.