Hackers have stolen data about nearly all of AT&T Inc.’s cellular plan subscribers, the carrier disclosed in a regulatory filing today.

The company also published an overview of the breach in its online support portal. According to AT&T, the hackers gained access to call and text logs generated from May 1, 2022 to Oct. 31, 2022 as well as on Jan. 2, 2023. The compromised logs include the phone numbers that the affected users contacted, as well information about the number and duration of the calls they made.

Some of the records also contain the unique identifier of the cell towers that processed users’ communications. According to AT&T, the hackers didn’t gain access to more sensitive data such as affected users’ personal information.

The company is working with law enforcement agencies to support their investigation of the breach. It detailed on its support portal that authorities have made at least one arrest in connection with the cyberattack. Separately, the carrier has taken steps to secure the system from which the hackers stole the data.

“Telecommunication companies, with their vast troves of sensitive data and customer information, must view this incident as a stark reminder that proactive cybersecurity measures are essential,” said Nick Tausek, the lead security automation architect at Swimlane Inc., a venture-backed cybersecurity provider. “Relying solely on reactive tools is insufficient. A layered security strategy including incident detection, response, and prioritizing visibility across the entire IT infrastructure is crucial for securing the SOC.”

An AT&T spokesperson told TechCrunch that the compromised information was stored in the carrier’s Snowflake environment. Earlier this year, hackers launched a series of cyberattacks against Snowflake deployments that affected Ticketmaster Entertainment LLC, LendingTree Inc and several other major brands. In June, Google LLC’s Mandiant cybersecurity unit estimated that 165 organizations were targeted by the cybercriminals.

The breaches weren’t the result of a vulnerability in Snowflake. Rather, Mandiant concluded that the hackers logged into the compromised customer environments using account credentials stolen in earlier cyberattacks. The Google unit said that the environments were breached because the affected customers didn’t refresh their login credentials, implement multifactor authentication or block network traffic from unauthorized sources.

Earlier this week, Snowflake updated its platform to reduce the risk that such breaches will happen in the future. The company added a setting that allows administrators to turn on multifactor authentication by default for users. Additionally, Snowflake rolled out a monitoring dashboard that tracks potential cybersecurity risks such as users with access to more data than they strictly require for their work.

The breach that AT&T disclosed today marks the second time the carrier entered the headlines this year because of a cyberattack. In March, a hacker released a dataset with personal information about more than 73 million current and former AT&T customers. In response to the incident, the carrier reset millions of accounts’ login credentials.

Photo: AT&T