The Breach of 70 Million AT&T Accounts via Snowflake

Earlier in 2024, more than 70 million AT&T customers’ data was leaked to the Dark Web, including a large amount of PII such as physical addresses, DoBs, and Social Security numbers. Now a new breach, which occurred over five months in 2022, has been announced. Approximately 109 million AT&T cellular customers, as well as users of AT&T’s mobile wireless network (MVNO) were affected. Included in the breach were landline customers whose numbers interacted with those cellular accounts.

While no PII is known to have been stolen in this latest attack, the data that was affected (which includes call and text records) could enable bad actors to triangulate users’ physical locations, compromise the privacy of journalistic sources and people trying to escape abusive relationships, and expose victims to social engineering and other attacks.

Leaked account credentials from Snowflake, a third party platform used by AT&T, appear to be the attack conduit. A Snowflake breach had previously enabled hundreds of other breaches against large companies such as Santander, Neiman Marcus, Ticketmaster, and others.

Learn more: AT&T Data Breach: What’s next for affected customers?

Had AT&T’s Snowflake account been enrolled with the account owner’s facial biometrics using authID’s robust biometric authentication solution for login access, the attacker would have been stopped when required the attacker to authenticate using their face to access the Snowflake account containing AT&T’s data. authID’s authentication would be unaffected by smishing attacks, SIM swap attacks, or device malware attacks, which can compromise traditional MFA solutions. This is because authID’s biometric authentication is not tied to any device or phone number but is directly bound to AT&T’s Snowflake account. If the attacker attempted to use a digital facial image of an AT&T Snowflake account owner by presenting it to a camera or injecting it through software, hardware, or network methods, it would be identified as a presentation or injection attack, resulting in blocked access.