AT&T Pays $370K Ransom Following Data Breach Tied to American Hacker

AT&T has confirmed a major data breach affecting nearly all of its wireless customers, with the incident linked to an American hacker residing in Turkey. The telecom giant reportedly paid $370,000 in ransom to prevent the leaked information from being made public.

The breach, disclosed by AT&T last Friday, involved the exfiltration of customer call and text interaction records from May 1, 2022, to October 31, 2022, and January 2, 2023. These records originated from AT&T’s 'workspace' on a third-party cloud platform, and although they did not include sensitive personal information or the content of communications, they did contain details such as phone numbers interacted with, call or text counts, and call durations. AT&T assured customers that names were not included in the compromised data, though noted that phone numbers could potentially be linked to names using publicly available tools.

In response to the breach, AT&T is notifying approximately 110 million affected customers. The company has stated that the stolen data is not believed to be publicly accessible and has confirmed the apprehension of at least one individual in connection with the incident.

Over the weekend, more details emerged about the breach. According to a report by Wired, AT&T paid a ransom of $370,000 in bitcoin to a hacker in May to secure the deletion of the stolen data. The hacker, associated with the notorious ShinyHunters group, initially demanded $1 million but ultimately settled for less. Proof of the ransom payment was provided through cryptocurrency transfer records and was confirmed by multiple sources.

The stolen customer data appears to have been obtained from the Snowflake data storage platform, which has recently been targeted by hackers using stolen credentials. Several other major companies, including Ticketmaster, Santander Bank, Advance Auto Parts, and Neiman Marcus, have also been impacted by the Snowflake breaches.

John Binns, an American hacker living in Turkey, has been identified as a key figure in the AT&T hack. Binns, known for his involvement in the 2021 T-Mobile hack, was arrested in Turkey in May 2024 in connection with that breach. His arrest is believed to be linked to AT&T’s statement about an individual being apprehended.

Reddington, a researcher contacted by Binns in April, revealed that Binns claimed to have obtained millions of AT&T customer call logs from Snowflake and sought Reddington’s help in negotiating a data buyback with AT&T. Due to Binns’ arrest, the ransom was ultimately sent to a ShinyHunters member.

The hackers reportedly stored the complete AT&T database on a cloud server, deleting it after receiving the ransom. However, samples of the data may have been distributed to multiple individuals before its deletion.

This breach underscores the ongoing vulnerabilities in cloud-based data storage and the persistent threats posed by cybercriminal groups like ShinyHunters. It also highlights the complex interplay between international law enforcement and cybersecurity as companies navigate the challenges of protecting sensitive customer information.

4o