AT&T Addresses Recent Data Set Released on the Dark Web (opens in new tab)

(about.att.com)

39 pointsemeraldd1y ago21 comments

21 comments

xyst1y ago

Given how lax AT&T is with this sad press release. They are fully expected to pay some fine, which they will pay after exhausting years of appeals. At that point, people will have forgotten. Impacted people get a check for $5 (if they are lucky). Business as usual.

Nobody goes to jail. Some offshore team is replaced with another bottom of the barrel contractor. Maybe a low ranking executive is given a slap on the wrists, internally. AT&T cuts some internal program to make up for loss (1 year moratorium on T&E for that team)

1oooqooq1y ago

if the press release is out, they already have a deal for a 3.50 identity protection plan as a "fine"

xyst1y ago

I vaguely recall receiving a less than dollar amount check from some PayPal class action lawsuit. Maybe it was in 2012 or 2015.

So that’s also on the table.

underlogic1y ago

AT&T have come a long way since room 641A. At least today they acknowledge their users had some right to privacy

flandish1y ago

Spot on prediction. We need to start pushing for jail for these people running (and owning) these businesses with such carelessness.

- yes. I mean all owners. Shareholders too. All it would take is once for shareholders to get slapped with prison relative to shares owned for this sh*t to stop.

Terretta1y ago

> Shareholders too.

A proportionate share of jail-time days, rounded down. So retail investors would be fine.

1 more reply

breadwinner1y ago

Apparently they encrypted customer passwords instead of one-way hashing [1].

"A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher."

"The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and Social Security numbers."

[1] https://techcrunch.com/2024/03/30/att-reset-account-passcode...

circusfly1y ago

> Apparently they encrypted customer passwords instead of one-way hashing [1].

Pretty incredible, I use one way hashing for my own sites and I don't even have customers, just a couple of accounts I use when I want to demo something.

illusive40801y ago

“There are only 9999 possible passcodes, why bother hashing them?” - AT&T, probably

PS small correction - “passcodes” were admittedly stolen which are numeric security codes that you have to verbally provide when calling in.

iraqmtpizza1y ago

The correct approach is keyed hashing e.g. HMAC/KMAC for something like that, or...?

1 more reply

rdtsc1y ago

> AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web; source is still being assessed.

In the "about us" section

> We help more than 100 million U.S. families, friends and neighbors, plus nearly 2.5 million businesses, connect to greater possibility.

I like how they address themselves in the 3rd person. Did something bad? Use the passive voice and address yourself in the 3rd person.

slazien1y ago

While this might be a marketing tactic in such situations, in this case it's a press release, which is a format where it's common to speak about "yourself" in 3rd person. Look at their other press releases.

rdtsc1y ago

That's fair, it's so reporters can copy paste it. But given the seriousness here it would seem the CEO could have written something more personal. Though of course it covers their ass legally as it doesn't admit or imply guilt, even hits it's a contractor's fault, and nobody can accuse them of not "responding" any longer.

breadwinner1y ago

The only thing more shocking than these regular leaks, is how many banks assume that if you produce SSN and DOB of Person X then you're X! And if you're not X then that's X's problem — His identity got stolen!

arprocter1y ago

Previous discussion: https://news.ycombinator.com/item?id=39754330

illusive40801y ago

On the bright side, I haven’t ever had to pay for a credit monitoring service, and it looks like I don’t have to start now.

toast01y ago

The three major credit buraux all have free monitoring services anyway. They're of course filled with dark patterns; at least one of them emails me more or less anytime an account reports 'your balance has gone up' or 'your balance has gone down', which is super useless, and can't be configured. But hopefully, I'll get notified if a new account is made, and it will be easier to get it closed while it's new.

sys_647381y ago

Their website is truly pathetic leaving the burden on individuals to need to protect this information. They should bleed red severely for this in punitive damages to those impacted.

j / k navigate · click thread line to collapse

21 comments

xyst1y ago

1oooqooq1y ago

if the press release is out, they already have a deal for a 3.50 identity protection plan as a "fine"

xyst1y ago

I vaguely recall receiving a less than dollar amount check from some PayPal class action lawsuit. Maybe it was in 2012 or 2015.

So that’s also on the table.

underlogic1y ago

AT&T have come a long way since room 641A. At least today they acknowledge their users had some right to privacy

flandish1y ago

Spot on prediction. We need to start pushing for jail for these people running (and owning) these businesses with such carelessness.

- yes. I mean all owners. Shareholders too. All it would take is once for shareholders to get slapped with prison relative to shares owned for this sh*t to stop.

Terretta1y ago

> Shareholders too.

A proportionate share of jail-time days, rounded down. So retail investors would be fine.

1 more reply

breadwinner1y ago

Apparently they encrypted customer passwords instead of one-way hashing [1].

"A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher."

"The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and Social Security numbers."

[1] https://techcrunch.com/2024/03/30/att-reset-account-passcode...

circusfly1y ago

> Apparently they encrypted customer passwords instead of one-way hashing [1].

Pretty incredible, I use one way hashing for my own sites and I don't even have customers, just a couple of accounts I use when I want to demo something.

illusive40801y ago

“There are only 9999 possible passcodes, why bother hashing them?” - AT&T, probably

PS small correction - “passcodes” were admittedly stolen which are numeric security codes that you have to verbally provide when calling in.

iraqmtpizza1y ago

The correct approach is keyed hashing e.g. HMAC/KMAC for something like that, or...?

1 more reply

rdtsc1y ago

> AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web; source is still being assessed.

In the "about us" section

> We help more than 100 million U.S. families, friends and neighbors, plus nearly 2.5 million businesses, connect to greater possibility.

I like how they address themselves in the 3rd person. Did something bad? Use the passive voice and address yourself in the 3rd person.

slazien1y ago

rdtsc1y ago

breadwinner1y ago

arprocter1y ago

Previous discussion: https://news.ycombinator.com/item?id=39754330

illusive40801y ago

On the bright side, I haven’t ever had to pay for a credit monitoring service, and it looks like I don’t have to start now.

toast01y ago

sys_647381y ago

Their website is truly pathetic leaving the burden on individuals to need to protect this information. They should bleed red severely for this in punitive damages to those impacted.

j / k navigate · click thread line to collapse