A gang of cybercriminals reportedly hacked AT&T email accounts and used them in a $20 million crypto theft.
Last month, an anonymous source told TechCrunch that unknown hackers gained access to a part of AT&T’s internal network, allowing them to create mail keys for any user.
The keys enable account owners to log into client email apps like Outlook and Thunderbird without passwords. However, they could also allow the intruders to initiate password resets, hack into the victim’s email accounts, and steal their crypto, TechCrunch reported.
AT&T confirms that hackers breached user email accounts
AT&T confirmed it detected an “unauthorized creation of secure mail keys,” which could, in some cases, grant hackers access to users’ email accounts.
The telecommunications giant responded by updating its security controls, forcing a password reset on some email accounts, and wiping out any access keys created. However, AT&T declined to estimate the number of email accounts affected and if the issue was conclusively resolved.
Claiming that hackers exploited an API issue, AT&T denied that its internal network was breached.
“There was no intrusion into any system for this exploit,” said AT&T spokesperson Jim Kimberly. “The bad actors used an API access.”
AT&T also did not disclose which email accounts were compromised, but the anonymous tipster claimed that att.net, sbcglobal.net, bellsouth.net, and other AT&T email services were affected.
It was still unclear when the hackers began hacking into the email accounts. However, one alleged victim claimed he started noticing suspicious activity in November 2022 when his email keys repeatedly stopped working, forcing him to frequently regenerate new tokens to access his Outlook client.
Allegations that hackers are breaking into the accounts of people who have AT&T email addresses have been making rounds for a while on social media. One alleged victim said on a Reddit thread that the unauthorized key generation activity lasted at least two years.
Another Redditor noted that the threat actor maintained access even after a password reset and did not bother to recover it.
According to their Telegram channel post, the threat actor allegedly obtained the “entire AT&T employee database” but failed to acquire the company’s VPN server certificate.
Hacked AT&T email accounts used in crypto theft
According to the whistleblower, hackers exploited AT&T email accounts to steal cryptocurrency from accounts linked to cryptocurrency exchanges such as CoinBase and Gemini.
One alleged crypto theft victim said he lost $134,000 after hackers accessed his CoinBase wallet, supposedly from his compromised AT&T email account.
The anonymous tipster reportedly provided a list of victims, claiming that the resultant crypto theft was worth between $15 and $20 million.
At the moment, AT&T has not disclosed the extent of the breach, and the crypto theft allegation could not be verified.
Commenting on the AT&T email hack, James McQuiggan, Security Awareness Advocate at KnowBe4, said hackers were highly interested in optimizing their efforts and maximizing their profits, making such an attack more worthwhile.
“As cybercriminals continue to improve their attack vectors, gaining access to internal systems of large organizations that provide services to thousands and millions of end-users or other organizations, they continue to find more ways to capitalize their efforts to reduce their ROI,” noted McQuiggan. “They’re looking to increase their ROI for their efforts, and gaining access to email accounts leads to password resets of other accounts and improves their ability to make more money.”
Crypto theft is one of the easiest methods for hackers to monetize their skills. According to a report by crypto analytics firm Chainalysis, investors lost $3.8 billion in 2022 to crypto theft.