AT&T Tried To Deny This Massive Data Breach
Vložit
- čas přidán 3. 04. 2024
- In this video I discuss how a database containing the personal information of over 70 million AT&T customers was sold on the darkweb back in 2021, AT&T denied the data breach, but now the data has been released for free and AT&T is doing damage control (and also facing lawsuits)
My merch is available at
based.win/
Subscribe to me on Odysee.com
odysee.com/@AlphaNerd:8
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF - Věda a technologie
70m?! Theres only 350m mfs out here 😱.
These telecom companies must be broken up as a matter of national security
Agree. I worked in telecom for years. Their corrupt unions collect tax payer money and sit on their ass all day long. They try to hire illegals and only pay them based on customer reviews (for the cable companies). Literally like 20$ for a service call on your own dime (must have truck and tools lmao). Cell tower contractors are all fly by nights that don't pay their employees because they bankrupt out and run and are staffed full of meth heads. I would love nothing more than to return to my passion and make an honest wage and help people gtfo from under their monopoly.
Bro that already happened already, like several times already.... in fact anti-trust prevented AT&T from merging with T-mobile... ever heard of Bell labs? Well yea of course not if you are younger than 20 years old bcuz they were broken up a long time ago but they made EVERYTHING under the sun in telecommunications...
There’s upwards of 8 billion people on the planet and AT&T has 222 million customers. What are you talking about
@@bingobongo6258he means in the US, AT&T only operates in USA due to way signals in phones are transmitted in USA that specifically can't make all phones be used inside of USA that's why there are us and NON-us phones it's complicated but it's something like that if i remember, most evident i Samsung's lineup snapdragon for US, exynos for global it's similar to imperial system and metric system difference you could sau
@@tamagodonald7149 Thanks that makes more sense. I was misconstruing some stats I was looking at.
If they were located in the EU they would've been f'ed. Here companies MUST report any data breach within 24 hours after finding out or receive a massive fine.
And they still receive a fine for bad security measures that lead to the leak
America, the land of the free from consequences
Yeeehhaaaaahhhh@@inLoopie
@@inLoopie yep, that seems to be the case. Every time some incident happens caused by a major company, it either gets away entirely or gets some joke fine equal to their 1 hour revenue or something
Data breaches don’t just pop up on your screen like a text message.
And most customers can’t do anything about it because they are stuck dealing with a monopoly for their area.
The government causes this. Look at Helium mobile. The cost of setting up a network is the cheapest its ever been - the government/fcc create the monopoly we have now. Has been since ma bell and if you stand against it you go to jail for made up fraud charges (qwest).
and that right there has been the problem all along.
I haven't used AT&T in literally 10 years but I showed up in haveibeenpwned. its wild lol.
In nc its 78% and they have the fastest speed in my area.
Yep. Was my only option at one of my past addresses. Either that or starlink which was only available for preorder. Only coverage I got with mobile back then too that wouldn’t drop out at work.
Human makes a mistake and gets locked up for years
Businesses knowingly committing actions that result in them getting fined should get bigger penalties including being forced to stop business
I wouldn't say stop the business its a American source so it's better to forcefully change the ceo
@@fastshuther obviously there would be different levels depending on the severity and how many times they have been fined
The Pentagon and at&t are in bed together
@@bilboswaggings this is pretty severe I wouldn’t shut down the company over it though, just forcefully change the CEO
In a normally functioning world, employees who are in the know of this kind of amateurism ought to be jointly and severally liable if they do not report this kind of shit to some authority.
Alas that's never going to happen because the people who would make or lobby for such laws are themselves some of the biggest incompetent fools.
The fact that these companies are not held accountable for their shitty security practices infuriates me. Sue and fine the ever loving crap out of them. ReeEEeeeEee
all this is totally legal they passed legislation letting them off the hook for spying on and collecting data a decade ago at least
I worked for a company that shall not be named, that provided a remote desktop service, that effectively just made it so you didn't have to forward ports and remember your IPs.
I found 3 0-click RCE exploits in their packages within the first WEEK.
This is what happens when a country legalizes bribery.
These illegal monopolies are protected by politicians on the take.
The consumers are screwed and voting changes nothing
I go to a small school they had 150,000 ssns and info stolen during a data breach cause they didn’t apply iot security the way they should have here’s the catch they haven’t cleared there database since the 70’s people who attendees in 1971 have there info stolen as well as current students smh they gave us one of them credit watching accounts for scams for 6 months smh
I'm an AT&T customer. They still haven't sent me shit to notify me. I first heard about it last Sunday from my girlfriend of all people, who isn't even into tech or anything like this.
weird flex but ok
I Don’t Believe That’s a "Flex"… He’s Just Making a Simple Statement. Just because He Mentioned a Significant Other (Which You Likely Don’t Have) Doesn’t Mean Anything.
Why Even Make Stupid Ass Replies/Comments Such as Yours?
@@gatonegro187 flex? whos flexing?
@@Omega-mr1jg man thinks women is a flex 🤯
@@gatonegro187Yeah, this piece of shit OP flexing that he has a girlfriend 😤
Considering how lovey-dovey AT&T is with the NSA, you'd think they'd have osmosed some of that security knowledge from their BFF.
Conflicting nsa mandates. Help friendlies avoid cyber compromises, while comitting them on others, with the help to friendlies in the wild.
Meh the only "security" the NSA does is offensive
They did, that’s the problem. 😂
NSA wouldn’t tell you if they have a breach.. but most likely it’s because cyber security is a cat and mouse race, there will never be a winner and the only time you know about it is when the “good guy” loses.
Ah yes, deny it ever happened so you don't lose millions in a law suit and millions more when customers dump you for being negligent with data, very smart of them.
they cant switch lol
local monopolies
@@taureon_well luckily i can, so i’m leaving them
@taureon_ you can "switch" ..... just to another company owned by them lmao.
A couple years ago, I got at&t internet at my apartment and like 10 minutes later I get a scam call from some company that had almost all my information and were trying to sell me some home security garbage. Called at&t back and they had no idea how anyone would have that information.
It's because they sell it immediately. Ally Bank sells your data. The USPS sells your data. The DMV sells your data. Because we live in a corporate kleptocracy where nothing is illegal if number go up
lol if true
10 minutes is not that long at all...
Completely true story. This was before I discovered this Channel and began learning about security and privacy but even then, I felt like I was getting fucked over.
Totally would've cancelled any relationships with AT&T right at the moment, since otherwise the broken butt of north america doesn't lets people do shit.
About to get my 83 cents class action compensation 😊
You can get a pretty big gumball with that. Something to chew on.
Don't chew on it while configuring any large databases though...
Don't worry, the lawyer will get millions!
Honestly the idea that anything serious can be put behind a 4 digit code is horrid.
wait until you see how many peoples phones protect all their passwords, accounts, sim card, files, and more on their phones thats secured behind a 4 digit pin of their birth year
@@ICE0124 And people think I'm nuts for using a 10 digit code on my phone that's completely separate from all my other passwords. Most people wouldn't even think to try one that long if they didn't see me punch it in.
As a att customer with this news coming out I am glad that they have decided to charge me a $99 dispatch fee because my service was down. Turns out the fiber line was loose at the pole outside my residence I called to ask about the charge and brough up the data breech and they offered me a $50 credit. These companies are next level.
ATT should be fined 25k for each person compromised.
Should be per personal identifying information per person in a perfect world
My dude, this is class action case, you will be lucky to get $25. The lawyers on the other hand will get 25M
Ah yes, 1.75 trillion dollar payout. AT&T as an entire company is worth 126 billion and has only 7.5 billion in cash, I’m sure $25,000 per person will work out.
@@Mitch-xo1rdYup. Apple lawsuit led to rewarding its victims with enough money to buy 5 months of apple music subscriptions. 😂
@@harrychufan He said fine, not some payout. It would bankrupt them, which is the point.
"no seasonin' on they password hashes" kinda got me
Watch AT&T put a forced arbitration clause into their TOS so they can't get sued any more.
The terms when the breech took place =should= apply.
Eh, a lot of garbage thrown into TOS is being scrutinized and sometimes ignored. Won't surprise me when someone successfully sues despite a forced arbitration clause soon.
ELI5 pls
@@K_Z_R A lot of the "We've updated our terms of service" emails you've received from services (other than EU updates) have been increasingly for the purpose of adding a forced arbitration clause. If you agree to the new terms with this clause, you are waiving your right to sue (both named and as a member of a class action). Instead you must file a dispute directly with the party and enter a binding arbitration process. The decision made is final and you cannot appeal. At least that is what the common knowledge behind the move is. But in the US some of that very dense TOS legalese is being tossed out as its wording is too complex for ordinary consumers to fully understand, it is outright illegal what's written, the language is too restrictive/burdensome on the consumer as it relates to what the service can actually require, and many other reasons
I think we're past the point where we need a way to get a new SSN at the very least
Managers ignoring warnings from their software engineers about potential issues to push software into production should be negligence when the exact problem they were warned about ends up happening and causing damage to people.
-30 reputation for AT&T 😢
algorithm. Wasn't ATT the fools who had a massive network outage, affecting many 911 services, just this last February? Boy, they are really hitting on all cylinders!
This is why its dumb to require social security numbers for everything.
All data collected by companies and institutions should be shared with the individual it is about. This is a good starting point.
You know they'll just mix it up
CRIMINAL NEGLIGENCE
Just fyi, even of you had AT&T at one point you should look into seeing if your info was stolen. I haven't had AT&T since 2014 and my info was in the dump.
If executives ever took responsibility for anything like this they would be in prison instead of meaningless words.
AT&T really using a cheeto to hold their door lock.
Dude I called AT&T and said “Hi, uh, what are you doing about this, can I get some identity theft prevention service or anything?”
Them: “did AT&T ask you to change your password? If not your data should be safe”
Me: “Great, can I have that in writing on AT&T letterhead? That would be hilarious”
They won’t do shit and I’m probably fucked
Change carriers
$100 Billion dollar company btw.
Yeah, we know.
I'm an AT&T customer, but I used to be a TMobile customer so I'm used to it
Cricket is the best IMO. Funny as that is.
4 unsalted digits you can just run all the hashes and it takes a few minutes...
confirmed my info was on there. I was a long time wireless and wired customer until this year. I have not received any communication from them except the refund from my cancellation.
How did you confirm?
@@abakedpotato1486 Google one dark web monitoring. Have I been pwned has the email dataset too. I checked LastPass and it did not have the dataset. Capital one was the original one to alert me the other night but just mentioned my email address.
norton contacted me not att bums
It’s too bad we don’t have free and open source cellular services
That would require free and open source infrastructure, open source is one thing, but free isn't happening.
@@aynonymos I mean, free could happen if the government wasn't a bunch of cucks that let the internet providers fuck them. In American we paid 400 billion for fiber already, I don't know what the situation is with cell towers, but I feel like it could be "free". It could be, more technically put, at cost. Which is essentially free at the costs it would be at that scale. Don't normalize corporation fuckery.
Another argument is why besides where we need to, why are we still using sms and normal voice calling. Internet based messaging (Signal, whatsapp, etc) is already good enough, and wifi calling and stuff seems just fine. We could absolutely either nationalize or make internet a utility like service and make it essentially free. At cost, at scale, essentially free.
MainiaHause Sure they could still be breached since no system is perfect, but assuming having no support or legal team just because it's open source is kinda wild
@@aynonymos Free as in freedom to control your own data, or better yet, have little data attached at all. I’m not gonna pretend I understand how cell services work, but I’m willing to bet it would be possible to implement without requiring the plethora of information given e.g. email, birthday, etc. If we were able to largely decentralize and anonymize money away from banks, I’d imagine it would be possible to do with phone services.
@@user-nk2re7ms7dthe protocols to make most of the Internet work are open standards and you can peer with any other ISPs at one of their central offices or at an IPX. I think the biggest obstacles are that location tracking is required so the network knows what cell tower to use when talking to your device, and that all the telco vendors add back doors for CALEA. I would not be surprised if some agency would show up with a warrant asking to leave some sort of trackers on your network when they found out that you built a free open source one.
(former) ATT customer here... No notification from them at all.
If it were one of our businesses disclosing like this, we’d be toast.
Remember this. These corporations have more money than governments. And somewhat more Powerful.
AT&T needs correction 💢
Damn bratty telecom companies…. Releasing personal information…
4 digit numeric code? What a joke. That won't take a full rainbow table, more like a rainbow plate.
idk how this goes in the US, but where I live, debit cards only have a 4 digit security code (PIN) (which through online banking you can use for transactions of up to 4 figure amounts).
I never understood how this can be secure? How is the most important account you have (your bank account) secured by a 4 digit (0-9) PIN, while my password on some random website that I wouldn't even care if it got breached, requires minimum 8 characters, 1 capital letter, 1 number, 1 special character ???
@@mistersir3020because in most cases you require far more than a pin code to access someone's card. If your actual card details are out their they don't even need the pin. The pin is just the last step in ensuring someone picking up your card can't just use it. But nowadays contactless exists and hardly has any limits anyway so pins are also in effect useless
In contrast, a password on a website for example is the only (other than 2fa) thing required to get into anyone's account, and a 4 digit numerical password takes milliseconds to randomly guess, which is why you can't just enter passwords over and over again, but when you have the hash you can "guess" as many times as you want
@@mistersir3020 Realtime lockouts. The card is locked after 4 to 6 wrong attempts.
@@Knirin There are only 9,999 possible variations and 70 million customers these were not properly salted so if you link up one you can identify everyone else with that same pin. You social engineer the pin out of one person and you now know the pin of ~7000 other people that also picked the same pin. This security is a joke.
@@zyxwvutsrqponmlkh I was talking about debit card PINs. You still need the debit card to perform the attack so the PIN by itself is almost worthless. The card by itself is actually far more useful. Using a 6 or 8 digit PIN would be nice but isn't required for what debit card PINs are designed to defend against. Replacing the PIN with any form of MFA is generally going to result in worse security and more customer headaches. Adding transaction notifications over a secondary channel would definitely improve security but you can't replace PINs with that mechanism.
Back to the ATT&T account PIN. What is salting designed to do? Originally it was to prevent simple offline attacks on one password from compromising other accounts because of reused passwords. Now it is to prevent you from using a rainbow table to "instantly" know all of the passwords in the password database. It doesn't help you if the password database also includes all of the required information for a password reset. Password salting is especially useless if there isn't any rate limiting on the password reset mechanism itself.
Unfortunately the account PIN is the least useful information that got leaked. Would it be nice if the account PINs were longer? Yes. Would it stop data breaches? No. What would salting the account PIN do right now? Cost ATT&T and the customers more money without stopping the underlying data theft problem.
You talked about social engineering the PIN out of one person. Without access to the database how do you know who else uses that PIN? You don't. If you had the leaked database you don't need the PIN to damage someones ATT&T account even if it was properly salted, because you know enough to reset the PIN. Also you aren't widely attacking ATT&T accounts because that makes a lot of noise at ATT&T. You go commit fraud elsewhere with the information you learned in the data leak.
Properly salting the PINs is the last action ATT&T needs to make, not the first.
I just got an alert from Lifelock and they said that I was one of the people who's data was leaked. Including name, email and SSN. No idea how they got the SSN, I don't typically give that out to anyone, certainly not something like AT&T.
This is informative and unfortunate.
louis reference
When your maximum is 9999, I remember a graph from a lecture that over 85% of people's PINs are below 5000.
Key point, if you WERE an att customer in the last decade, you should probably be on guard too. Not just if you ARE an att customer currently.
Breach Forums is def a glowie honey pot
why u say that?
@@ozziedegens just stating the obvious
on (pootube)
@@ozziedegens It's been more than a year before the site owner got a very secure apartment, orange jumpsuit makeover, and free set of steel bracelets from the government, but his site's still up? Now it's harder to set up an account, I'm gonna guess most likely there's some java based captcha in place to easily pierce TOR too like they did when they took out the opva sickos, I know I wouldn't touch that place even if I was behind ten proxies because I value my freedom.
@@SudoTragic Lmao if someone asks "why u say that?" and they don't sound sarcastic, I feel like they don't know what the obvious is, and that's literally what they're asking about. I'm not too deep in these dark net forums, so I couldn't tell you why it's obvious either. Your reply literally made me blow air through my nose harder than usual because it was so unhelpful
Most banks don’t allow you to use a special character. Yikes
No notification from AT&T. How can they get away with not notifying affected customers
The government doesn't care.
Explains all the scams I've been getting recently with my PII told to me. Shame that I wasn't notified!!
Y'all need GDPR. Mandatory reporting of data breaches, fines for each occurrence. Obligations for companies to protect their data.Edit: protect *your* data.
We have laws for this they just aren’t properly enforced
@@dirtcache6128 so basically you dont have laws for it then
@@GeometricPidgeon We have defunded government agencies that don't have the teeth to enforce what little weak laws do exist.
3 YEARS?!? Jesus. Thats very concerning.
Four numbers is not enough entropy no matter what kind of encryption you use.
My email came up in the public leak but I don't recall ever being an at&t customer so idk if I should be concerned
I was already contacted by scammers calling me saying that I had placed an order on ATT for 2 iPhone 15’s and that they’re being delivered to an address that wasn’t matching their records. I obviously knew it wasn’t ATT, but I played along to figure out their plan. It’s just a simple get info type of scam. Either way I’m pissed because they shouldn’t have any of my info. Definitely not going to remain a customer after this.
and they're slow
"Maybe if we close our eyes, it will go away.."
-AT&T
😂
I use at&t and this is my first time hearing about this
they sat on this information for three years??? The punishment must be severe, judicial dissolution must be on the table.
The only thing worse than this is their customer service.
Authority and monopoly go hand in hand. Nothing can be done about it.
As an att customer this is the first im hearing of this. This makes sense why my account got a little weird last year.
The one thing that I think of whenever I see stories like this is that it's better to eat crow when it's young and tender. Many companies for legal liability reasons forget this simple tact of life. Now, AT&T is going to owe more than if they headed it off early. Even if they thought it was possibly fake it's much better to inform customers early that they are investigating a possible data breach in order to make as much of the data leak as useless as possible.
Why on earth did anyone give a phone company their SS# in the first place?
they literally have to in order to get the cell service. it’s dumb as hell
@@poorly_dressdyou don’t need an ssn unless you want a pp plan
Literally anything ATT has done that has affected me has affected me negatively. I’ve never had a single positive experience with ATT
I use AT&T and I’ve received not a single email notifying me of any of this. Had you not reported on this I’d have no idea. I thought there was a strange crazy uptick in scam calls
Yeah a month after this breach I was a victim of id theft. It was really nefarious. They used my ssn to buy phones hoping I wouldn’t notice until it hit collections. No they haven’t said anything.
thank you for this video. as an att user i feel fucked
I dropped AT&T in October, and I did not hear squat from them about this. Definitely going to be paying attention to the lawsuits.
im not just cooked im boiled
My service is under AT&T towers bruh
Same :(
brb bout to post yalls social security numbers
I should’ve been born a company.
I agree with this. I saw a lot of signs of man in the middle attacks right before the outages
This reminds me of the bad security of the Sony Playstation data breach from like 15 years ago. I guess they never learned from the bad database security from 15 years ago!
That PSN breach actually happened 13 years ago back in April 2011.
Four pin digits are useless.
I would have to change them weekly at a minimum.
This is goong to be a thing for everyone eventually. This is at least the third time I got notified that a company I did business with had shit security. Yeah, I saw this and was basically thinking just another day in this stupid digital gulag.
Ain’t this the same company that said that it’s reading your text messages to fine you for not being politically correct?
I’d absolutely sue them if they tried to fine me and I’d publicize it as much as possible to do the most damage possible to the company!
Nah, or else I would been canceled ages ago. 😅
Less "fine you for not being PC" more "rat on you to the FBI for organizing a terror cell"
On text, like in email, don't write anything you wouldn't be fine with having read back to you in a court of law with your name on it.
Say what now?
source? didn't find anything on google, i did find that at&t apparently contributed a lot of money to the anti-abortion bill so i find your original statement to be unlikely
If they can, everyone should cancel their AT&T accounts.
I always hated AT&T but hearing about how they tried to deny their data breach confirms it how embarrassing their company is.
... wishing AT&T was still broken up. Way too many eggs in one basket.
Im a current att customer and have not been contacted by them about this situation
Bottom line, if they can't secure the data, they shouldn't have the data.
I’m still a bit of a cyber security noob, but what would somebody that has their data leaked do to make sure they are protected? I would appreciate any response thanks!
While I'm admittedly not too deep in the weeds with cs myself, the best course of action I can advise (which is easier said than done) is attempt to identify what personal information has been exposed, and then take it on a case by case basis. You password is leaked? Change you password. Credit card number is exposed? Cancel the card. It really depend on what information is exposed, but the general gist is you want to distance yourself from the exposed information as much as possible, so even if someone has it they can't do anything. Best of luck!
@@dc9591 yeah I have family members with AT&T, and if I’m a noob to this they aren’t even aware this kind of stuff happens. I appreciate the quick response!
@Mental Outlaw can you make a video on how to check if your info is apart of one of these data bases. What to do about it
A lot of databases are exposed to the lowest paid employees in regards to information services (like customer service reps), and then they wonder why the stuff keeps leaking. Hackers likely put a bounty on getting passwords to access that stuff, that would be months or even a whole year of wages to somebody at a temp agency with no loyalty to their employer. Sure there are other methods if they're looking for "street cred", but social engineering the way around corporate does things seems the easiest way in.
Still waiting for the video that starts with 'Ohhh Boy'
Bro thats damn near half the country social security numbers breached....
didnt know about this until now
No dice for me. My dad as well seems to also have recieved many scam calls
Wouldn't brute-forcing 4 digit passcodes be super easy even if they were salted? Sure you can't create rainbow tables, but 10000 possibilities is still not that much. Especially if you want to target individual people and not just crack everything there is
The salt is generally the same length as the digest size of the hash. 160 bits in the case of sha1.
First ive heard about this ._.cool !!!!!
Well... -_- this is the first i'm hearing of this, as an ATT customer.
Now i'm gonna have to get this Fucking database and see if i'm stuff is in it
It's 5GB compressed. Better download before bed
@@MentalOutlawwhere is it hosted?
it's in haveibeenphoned, if you know your AT&T email
Internet's bottom of the barrel is the place.@@thejhonnie
ultra lol
How is this not going to be on the news for 30 days and how are the whole IT team at AT&T not going to be fired and criminally charged?? 😂
someone i know got mail sent to them from another company that wasn't involved with AT&T saying that their data was leaked. AT&T can't even notify their customers correctly...
American are the kings of reframing. so instead of saying a BREACH, the reframed it to a RELEASE...
AT&T waited until St Patty's 😅 "Hope they're drunk enough to forget about how fukn inept we are 🎉"
Most of Michigan is AT&T including my great grandmother and they haven’t sent any letters or emails
im happy i left ATT back when they really were screwing me hard because i was attempting to use an out of carrier phone that had the same hardware as an incarrier phone.
How do we check if our social security numbers were on the leak?
Please can you send the link for court listener?
I’m paying every month for 3 lines, my data was breached, but thankfully they offered a $5 monthly credit towards the bill
when the government doesn't listen (why would they, the lobbyists pay them too much) the people need to force justice.
Either mass boycotts or lawsuits will be needed, they only care about money, so take it from them.
They don't care, and they won't suffer any significant loss for it. Any company losses will look big to the average person, but will be a drop in the bucket for AT&T. That's the way mistakes have been handled for centuries-smoke and mirrors.
Saw my shit on the dark web smh
I was just on the phone with their customer support for another issue and they are reaching out to customers about this breach now. They had something in the recorded prompts about it.
i got a ad for T-Mobile right before this video... how funny