Go | New | Find | Notify | Tools | Reply | |
Oriental Redneck |
I thought it a was a scam. Since when did they take the liberty of resetting customer passcodes? It turns out it wasn't a scam. AT&T resets account passcodes after millions of customer records leak online Zack Whittaker@zackwhittaker / 9:10 AM CDT•March 30, 2024 Phone giant AT&T has reset millions of customer account passcodes after a huge cache of data containing AT&T customer records was dumped online earlier this month, TechCrunch has exclusively learned. The U.S. telco giant initiated the passcode mass-reset after TechCrunch informed AT&T on Monday that the leaked data contained encrypted passcodes that could be used to access AT&T customer accounts. A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher. TechCrunch alerted AT&T to the security researcher’s findings. In a statement provided Saturday, AT&T said: “AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.” “AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set,” the statement said. TechCrunch held the publication of this story until AT&T could begin resetting customer account passcodes. AT&T also has a post on what customers can do to keep their accounts secure. AT&T customer account passcodes are typically four-digit numbers that are used as an additional layer of security when accessing a customer’s account, such as calling AT&T customer service, in retail stores, and online. This is the first time that AT&T has acknowledged that the leaked data belongs to its customers, some three years after a hacker claimed the theft of 73 million AT&T customer records. AT&T had denied a breach of its systems, but the source of the leak remains inconclusive. AT&T said Saturday that “it is not yet known whether the data in those fields originated from AT&T or one of its vendors.” In 2021, the hacker claiming the AT&T breach posted only a small sample of records, making it difficult to check if the data was authentic. Earlier in March, a data seller published the full 73 million alleged AT&T records online on a known cybercrime forum, allowing for a more detailed analysis of the leaked records. AT&T customers have since confirmed that their leaked account data is accurate. The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and Social Security numbers. Security researcher Sam “Chick3nman” Croley told TechCrunch that each record in the leaked data also contains the AT&T customer’s account passcode in an encrypted format. Croley double-checked his findings by looking up records in the leaked data against AT&T account passcodes known only to him. Croley said it was not necessary to crack the encryption cipher to unscramble the passcode data. Croley took all of the encrypted passcodes from the 73 million data set and removed every duplicate. The result amounted to about 10,000 unique encrypted values, which correlates to each four-digit passcode permutation ranging from 0000 to 9999, with a few outliers for the small number of AT&T customers with account passcodes longer than four digits. According to Croley, the insufficient randomness of the encrypted data means it’s possible to guess the customer’s four-digit account passcode based on surrounding information in the leaked data set. It’s not uncommon for people to set passcodes — particularly if limited to four-digits — that mean something to them. That might be the last four digits of a Social Security number or the person’s phone number, the year of someone’s birth, or even the four digits of a house number. All of this surrounding data is found in almost every record in the leaked data set. By correlating encrypted account passcodes to surrounding account data — such as customer dates of birth, house numbers, and partial Social Security numbers and phone numbers — Croley was able to reverse-engineer which encrypted values matched which plaintext passcode. AT&T said it will contact all of the 7.6 million existing customers whose passcodes it reset, as well as current and former customers whose personal information was compromised. Q | ||
|
| Member |
| |||
|
| Member |
Well. My passcode was not reset. Had to call ATT this morning. More and more robots. I am sick of it. | |||
|
Optimistic Cynic |
How are they disseminating the "reset" authentication credentials? Perhaps this could represent as significant a leak as the theft of (apparently weakly) encrypted passwords. Wouldn't be the first time a recovery effort led to a worse outcome than the initial compromise. Four numerical digits?!?!?!??! A sequential/dictionary attack overcomes the necessity of any "cracking" or other decyption effort. Counting and outputting from 1 to 10,000 takes .002 seconds on my Raspberry Pi (the slowest computer I own) using a non-optimized utility program. | |||
|
| Page late and a dollar short |
Guess I’m seeing a trip to the local AT&T store and I got the email but nothing telling me what our new passcode is. Guess we are supposed to guess what it is? -------------------------------------—————— ————————--Ignorance is a powerful tool if applied at the right time, even, usually, surpassing knowledge(E.J.Potter, A.K.A. The Michigan Madman) | |||
|
His Royal Hiney |
Companies and, now, some financial websites, make you periodically change your login password. "It did not really matter what we expected from life, but rather what life expected from us. We needed to stop asking about the meaning of life, and instead to think of ourselves as those who were being questioned by life – daily and hourly. Our answer must consist not in talk and meditation, but in right action and in right conduct. Life ultimately means taking the responsibility to find the right answer to its problems and to fulfill the tasks which it constantly sets for each individual." Viktor Frankl, Man's Search for Meaning, 1946. | |||
|
Seeker of Clarity |
Remember that (likely) many of your 2FA settings require a text message to your cell. The cell account itself becomes a point of vulnerability to far more important resources. If they port your number to them, they become the recipient of the 2FA code. Whenever possible I lean to a rolling code like Google Authenticator.  | |||
|
| Ignored facts still exist |
What?? Just over one month ago they had the infamous software update that F'ed up their network. Who's running the show over there anyway?? By the way, I'm now less inclined to believe that the incident a month ago was an innocent software update. It's a matter of credibility, and they've now lost their credibility. . | |||
|
| Optimistic Cynic |
A "trip the to local AT&T store" huh? Looks like this may be no more than manufacturing a sales opportunity for AT&T. If you can't lure them into the store, then scare them into the store! Marketing in the 21st Century. | |||
|
| Ignored facts still exist |
a little more info today... source https://www.cbsnews.com/news/a...4-cbs-news-explains/ some quotes:
What difference does that make?? Seems to me that AT&T would need to assure that any vendor who had access first has adequate security in place. Therefore it's still on AT&T.
you can check out any time you like, but you can never leave. . | |||
|
| Powered by Social Strata |
 | Please Wait. Your request is being processed... |
|
© SIGforum 2024