AT&T Addresses Recent Data Set Released on the Dark Web (opens in new tab)

(about.att.com)

39 pointsemeraldd2y ago21 comments

21 comments

xyst2y ago

Given how lax AT&T is with this sad press release. They are fully expected to pay some fine, which they will pay after exhausting years of appeals. At that point, people will have forgotten. Impacted people get a check for $5 (if they are lucky). Business as usual.

Nobody goes to jail. Some offshore team is replaced with another bottom of the barrel contractor. Maybe a low ranking executive is given a slap on the wrists, internally. AT&T cuts some internal program to make up for loss (1 year moratorium on T&E for that team)

1oooqooq2y ago

if the press release is out, they already have a deal for a 3.50 identity protection plan as a "fine"

xyst2y ago

I vaguely recall receiving a less than dollar amount check from some PayPal class action lawsuit. Maybe it was in 2012 or 2015.

So that’s also on the table.

underlogic2y ago

AT&T have come a long way since room 641A. At least today they acknowledge their users had some right to privacy

flandish2y ago

Spot on prediction. We need to start pushing for jail for these people running (and owning) these businesses with such carelessness.

- yes. I mean all owners. Shareholders too. All it would take is once for shareholders to get slapped with prison relative to shares owned for this sh*t to stop.

Terretta2y ago

> Shareholders too.

A proportionate share of jail-time days, rounded down. So retail investors would be fine.

flandish2y ago

No. Jail even folks buying ten shares on robinhood.

Let’s make it not ok to invest in corporations committing crime.

breadwinner2y ago

Apparently they encrypted customer passwords instead of one-way hashing [1].

"A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher."

"The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and Social Security numbers."

[1] https://techcrunch.com/2024/03/30/att-reset-account-passcode...

circusfly2y ago

> Apparently they encrypted customer passwords instead of one-way hashing [1].

Pretty incredible, I use one way hashing for my own sites and I don't even have customers, just a couple of accounts I use when I want to demo something.

illusive40802y ago

“There are only 9999 possible passcodes, why bother hashing them?” - AT&T, probably

PS small correction - “passcodes” were admittedly stolen which are numeric security codes that you have to verbally provide when calling in.

iraqmtpizza2y ago

The correct approach is keyed hashing e.g. HMAC/KMAC for something like that, or...?

illusive40802y ago

Yes but if the algorithm and salt gets to be known then there are very few possibilities (10^n where n is max length of passcode) and unless people are setting 50 digit passcodes, then it is very crackable.

1 more reply

rdtsc2y ago

> AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web; source is still being assessed.

In the "about us" section

> We help more than 100 million U.S. families, friends and neighbors, plus nearly 2.5 million businesses, connect to greater possibility.

I like how they address themselves in the 3rd person. Did something bad? Use the passive voice and address yourself in the 3rd person.

slazien2y ago

While this might be a marketing tactic in such situations, in this case it's a press release, which is a format where it's common to speak about "yourself" in 3rd person. Look at their other press releases.

rdtsc2y ago

That's fair, it's so reporters can copy paste it. But given the seriousness here it would seem the CEO could have written something more personal. Though of course it covers their ass legally as it doesn't admit or imply guilt, even hits it's a contractor's fault, and nobody can accuse them of not "responding" any longer.

breadwinner2y ago

The only thing more shocking than these regular leaks, is how many banks assume that if you produce SSN and DOB of Person X then you're X! And if you're not X then that's X's problem — His identity got stolen!

arprocter2y ago

Previous discussion: https://news.ycombinator.com/item?id=39754330

illusive40802y ago

On the bright side, I haven’t ever had to pay for a credit monitoring service, and it looks like I don’t have to start now.

toast02y ago

The three major credit buraux all have free monitoring services anyway. They're of course filled with dark patterns; at least one of them emails me more or less anytime an account reports 'your balance has gone up' or 'your balance has gone down', which is super useless, and can't be configured. But hopefully, I'll get notified if a new account is made, and it will be easier to get it closed while it's new.

sys_647382y ago

Their website is truly pathetic leaving the burden on individuals to need to protect this information. They should bleed red severely for this in punitive damages to those impacted.

j / k navigate · click thread line to collapse

21 comments

xyst2y ago

1oooqooq2y ago

if the press release is out, they already have a deal for a 3.50 identity protection plan as a "fine"

xyst2y ago

I vaguely recall receiving a less than dollar amount check from some PayPal class action lawsuit. Maybe it was in 2012 or 2015.

So that’s also on the table.

underlogic2y ago

AT&T have come a long way since room 641A. At least today they acknowledge their users had some right to privacy

flandish2y ago

Spot on prediction. We need to start pushing for jail for these people running (and owning) these businesses with such carelessness.

- yes. I mean all owners. Shareholders too. All it would take is once for shareholders to get slapped with prison relative to shares owned for this sh*t to stop.

Terretta2y ago

> Shareholders too.

A proportionate share of jail-time days, rounded down. So retail investors would be fine.

flandish2y ago

No. Jail even folks buying ten shares on robinhood.

Let’s make it not ok to invest in corporations committing crime.

breadwinner2y ago

Apparently they encrypted customer passwords instead of one-way hashing [1].

"A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher."

"The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and Social Security numbers."

[1] https://techcrunch.com/2024/03/30/att-reset-account-passcode...

circusfly2y ago

> Apparently they encrypted customer passwords instead of one-way hashing [1].

Pretty incredible, I use one way hashing for my own sites and I don't even have customers, just a couple of accounts I use when I want to demo something.

illusive40802y ago

“There are only 9999 possible passcodes, why bother hashing them?” - AT&T, probably

PS small correction - “passcodes” were admittedly stolen which are numeric security codes that you have to verbally provide when calling in.

iraqmtpizza2y ago

The correct approach is keyed hashing e.g. HMAC/KMAC for something like that, or...?

illusive40802y ago

1 more reply

rdtsc2y ago

> AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web; source is still being assessed.

In the "about us" section

> We help more than 100 million U.S. families, friends and neighbors, plus nearly 2.5 million businesses, connect to greater possibility.

I like how they address themselves in the 3rd person. Did something bad? Use the passive voice and address yourself in the 3rd person.

slazien2y ago

rdtsc2y ago

breadwinner2y ago

arprocter2y ago

Previous discussion: https://news.ycombinator.com/item?id=39754330

illusive40802y ago

On the bright side, I haven’t ever had to pay for a credit monitoring service, and it looks like I don’t have to start now.

toast02y ago

sys_647382y ago

Their website is truly pathetic leaving the burden on individuals to need to protect this information. They should bleed red severely for this in punitive damages to those impacted.

j / k navigate · click thread line to collapse