Data that likely belongs to AT&T Internet, TV, and landline customers was identified in the hands of the Romanian cyber criminals.

On Thursday, August 4th, Hold Security intercepted a 1.6 gigabyte compressed archive placed on a popular Dark Web file sharing site. The largest file in the dataset was a 3.6 gigabyte uncompressed file called dbfull. At first glance, the file contained stolen identity information. After a closer inspection, we believe the data likely belongs to AT&T customers.

Within 24 hours of finding the data, it was shared with AT&T. Since then, AT&T issued a statement that their systems were not breached to obtain this data. Hold Security worked with journalist Brian Krebs to investigate the dataset. Here we are presenting information about our investigation.

The file consists of 28,511,318 records with the following rows:

Full Name, Cell Number, Landline or Business Phone, Street Address, City State Full Zip, City, Zip, Email, DOB, SSN

Data appears to be generally consistent across the entire file with less than 3% duplicate rows. There are multiple instances of more than one record per individual with different addresses.

There are 22.8 million unique email addresses and 23 million unique SSNs.

Why this data likely belongs to AT&T Customers

  1. Plus Addressing - a well-known technique, allowing username field within email address to contain a plus sign and a memo, that has been used by a number of security-conscious individuals to mark their email addresses stored by a provider with meaningful notes. In this dataset, there are 293 email addresses with plus addressing. This may be considered relatively low, however, we are presuming that a large number of subscribers did not register for AT&T services via internet and likely interacted with AT&T customer service to enter their information which reduced a number of plus addressing entries.

    All plus addressed email addresses are consistent on AT&T or service-themed terms:
    ATT – 190 addresses
    UVERSE – 42 addresses
    Other terms include TV, BILLS, ATTUVERSE, UTILITY, DTV, DIRECTV, BILL, TVATT, SERVICES, PHONE, ENTERTAINMENT, etc.

  2. Unique Typos – the first clue that data belongs to AT&T customers came from Hold Security’s senior analyst whose uniquely complex last name was misspelled within the dataset. The only place where this spelling error exists is on this analyst’s AT&T Internet bill.
  3. Locale Analysis – according to AT&T, they offer their internet services in 21 states.

    Running analysis on states gives us the following statistics:

    State Percentage of Total
    CA 18.68%
    TX 16.31%
    FL 7.73%
    IL 6.16%
    MI 5.31%
    GA 4.92%
    OH 4.81%
    MO 3.36%
    IN 3.12%
    TN 2.97%
    NC 2.73%
    LA 2.20%
    WI 2.34%
    AL 2.24%
    SC 1.81%
    OK 1.78%
    MS 1.57%
    KS 1.47%
    AR 1.32%
    KY 1.21%
    NV 0.47%
    No state 5.64%
    All other states 1.64%

    Based on the AT&T coverage maps available online this data matches AT&T coverage 100% for the top 21 states in the dataset.

  4. AT&T-related Entries

    The dataset contains not only user information but about 12,900 companies (based on LLC, Inc, and matches in names). Another popular search pattern was word “ATT” in the name field. 387 names start with name ATT, with various entries like “ATT PVT XLOW” appearing 81 times. Most addresses go back to AT&T offices.

  5. Emails

    AT&T may not be considered an email provider, it offers its free email services via Yahoo email allowing its users to have @att.net @sbcglobal.net and @bellsouth.net email domain names.

    The following is breakdown of top email domains identified within the dataset:

    Total 22,786,997  
    Gmail 7,002,210 30.73%
    Yahoo 5,452,563 23.93%
    ATT.NET 3,120,802 13.70%
    Hotmail 1,513,478 6.64%
    SBCGLOBAL.NET 1,144,078 5.02%
    AOL 1,094,924 4.81%
    BELLSOUTH.NET 496,680 2.18%

    These top email domains account for 87% of all domains and nearly 21% of all email domains that belong to AT&T customers.

Data Breach Date

While the data does not have any timestamps and dbfull file is dated June 6, 2022, Hold Security employed the following approach to approximate the date of last records in the file.

Having Date of Birth (DOB) field available and the statement on AT&T official site that AT&T only opens accounts to individuals who are at least 18 years old, we analyzed DOB data with the following results:

Year of Birth Number of Matches
1997 86,419
1998 45,661
1999 15,305
2000 506
2001 26
2002 14

For those born in year 2000:

Month of Birth Number of Matches
January 279
February 159
March 50
April 6
May 2
June 0

Based on these statistics, we see that the last significant number of subscribers born in March of 2000. Therefore, it makes sense that dataset was likely created close to March of 2018.

Threat Actors

Hold Security’s Threat Intelligence services tracked this data to a popular file sharing site on the Dark Web. The threat actors who placed the data came from Romanian ISP IP addresses. Other data within files found along with the dbfull dataset had comments, prompts, and variables in Romanian language. Not much is currently known about the threat actors.

Other data trafficked along with dbfull did not show the same indicators and could not be attributed to AT&T customers though it also contained identity data (around 3.2 million records with 14% SSN overlap with AT&T customer data) including names, addresses, DOB, and SSN. Other scripts and data clearly indicated search patterns and data transformation that malicious threat actors may employ for stolen identity schemes. However, direct abuse angles were not identified.

While we identified a lot of information about this dataset, we presently have no information where this data originated and if the Romanian threat actors stole this data or merely came into possession of it from an unknown source.

Hold Security will issue additional updates as more information becomes available.

Click here to find out more about Hold Security Threat Intelligence and Dark Web Monitoring capabilities.