According to AT&T, hackers used an API flaw to seize control of victims’ email addresses.
According to TechCrunch, unidentified hackers are accessing the accounts of users with AT&T email addresses, utilising that access to get into the victims’ cryptocurrency exchange accounts and steal their bitcoin.
An unnamed source informed TechCrunch at the beginning of the month that a group of hackers have discovered a means to access the email accounts of anyone with an att.net, sbcglobal.net, bellsouth.net, or other AT&T email address.
The tipster claims that the hackers are able to produce mail keys for any user since they have access to a portion of AT&T’s internal network. AT&T email customers who utilise mail keys can access their accounts using email clients like Thunderbird or Outlook without entering their passwords.
With the use of a target’s mail key, hackers may access the target’s account via an email programme and begin changing passwords for more profitable sites, such cryptocurrency exchanges. The victim is out of luck at that moment since the hackers can email the victim to reset their Coinbase or Gemini account password.
A list of alleged victims was supplied by the tipster. In their responses, two of the victims acknowledged being hacked.
A representative for AT&T, Jim Kimberly, claimed the firm “identified the unauthorised creation of secure mail keys, which can in some cases be used to access an email account without needing a password.”
“To stop this conduct, we improved our security procedures. We also proactively demanded a password reset on some email accounts as a precaution, the official added.
How many individuals have been impacted by this round of hacks was not disclosed by AT&T. However, some email accounts have been restricted by the corporation “as a precaution,” requiring their owners to change their passwords.
The representative said, “This process erased any secure mail keys that had been created.”
Hackers took $134,000 from one victim’s Coinbase account, he told TechCrunch. “It has happened repeatedly since November 2022 — probably 10 times at this point,” the second victim claimed. I swiftly go in to my [AT&T] site and erase their key and establish a new one after I soon detect it has been done when my Outlook client fails to “connect.”
“Very frustrating because it is obvious that the ‘hackers’ have direct access to the database or files containing these customers’ Outlook keys, and the hackers don’t need to know the user’s AT&T website login to access and change these outlook login keys,” said the victim.
Additionally, a number of users with AT&T and other connected email accounts claimed to have been hacked on Reddit.
“Hello, my email was compromised back in March of this year, and I have done everything I can to reset password, security questions, etc. but occasionally I’m still getting emails that a secure mail key has been created on my account without my knowledge,” one customer said. “They even removed the email notification so I wouldn’t see it, but I recently switched to a different email for profile changes, preventing them from accessing my account. This suggests that someone may still be able to access my account, but how?
Someone else commented: “I’ve had the same problem for months and just started again, password wasn’t changed but account locked out and a Mail Key keeps being created in some manner.”
According to the tip, the hackers have made between $15 and $20 million in stolen cryptocurrency and can “reset any” AT&T email account. (TechCrunch was unable to independently corroborate the tipster’s assertion.)
In an image that TechCrunch believes came from a Telegram group discussion, one of the hackers asserts that they “have the entire AT&T employee database,” enabling them to access the company’s internal OPUS employee site.
According to the screenshot, the hacker stated in the Telegram channel, “Only thing we are missing is a certificate, which is the last key to accessing the [AT&T] VPN servers.”
The group now has access to AT&T’s internal VPN, according to the tip.
The AT&T spokesman, Kimberly, denied that the hackers had any access to private business networks. “This exploit did not involve any system penetration. An API access was utilised by the evil guys.