Re: Did AT&T leak their email list publicly?

35 points by patneedham 2 years ago · 12 comments · 1 min read

Reader

I'm apparently on this list: DONOTUSEPOD1NON@list.att.com

Here are some screenshots of the debacle [edit: properly redacted now]

https://imgur.com/a/MWV2wmk

https://imgur.com/a/yRJCKUn

It started out when someone wrote to that mailing list with

> This is a test to see if external users can email AT&T's internal email list with the most recent email mishap.

followed by other responses like

> I guess so…

> So far, based on the number of unique domains coming back directly to me (and replying all), it appears to be mostly business customers. I am assuming business because I also used my gmail for my business when I set up an AT&T account. Time will tell of course but there's definitely not an insignificant number of people on this list as far as I can tell.

> We’re just lucky there aren’t multiple people with vacation responses on eh?

proslasher 2 years ago

Legit, I'm the OP of the first email. AMA.

No, they didn't leak the email list, but they did leak their internal email list and showed that the incompetently set up an exchange DL and allowed anyone to email it instead of a restricted set of users. They also didn't take the time to close it down, they instead deleted it.

If I wasn't the OP, I wouldn't know that John Hammond is making a video of this right now. Check back in a few hours when this comment ages like fine wine.

proslasher 2 years ago

Video will be up tomorrow.
- appplication 2 years ago
  
  Looks like it’s up: https://youtu.be/_rjdAYlYTzk?si=jW49KSGB-bVmunDl
  - proslasher 2 years ago
    
    Yup! Thank you for posting. That's the one :)

Sylamore 2 years ago

I'm surprised this hasn't happened before, @list.att.com is just a standard listserv type system, internally anyone can create and manage lists of email addresses with internal or external addresses in it and those lists are all open to the public internet if you know their address.

I can't remember if there is any kind of access control that the owner of the list can implement to prevent external messages to the list address but no longer have access to check.

mattl 2 years ago

How many unique addresses on the list approximately?

patneedhamOP 2 years ago

No idea. The person who initially emailed that mailing list address said he'll write about it on his linkedin after the storm and after it's fixed. FWIW I'm not an AT&T customer (or business customer), I just happened to participate in some IOT hackathon they sponsored/hosted 6 or 7 years ago, that's the only way they've ever obtained my email address.
Only 9 unique email addresses have added to the "reply-all" thread within the past couple hours. Don't know if any estimates can be extrapolated from that though.
- peddling-brink 2 years ago
  
  You are leaking those addresses with your screenshots. You should remove or redact those.
  - patneedhamOP 2 years ago
    
    Thanks for the suggestion (and thank you mods for making the update).
- proslasher 2 years ago
  
  yeah, I'll post it on my linkedin. If you gave me your email, I'll send a copy of the linkedin post after I post it, along with the survey stats.
  Here's the preliminary data of those who've responded so far:
  https://i.imgur.com/5dMMHyp.png

castratikron 2 years ago

I got one too

samstave 2 years ago

That list will be sold for much coin soon.

Settings

Re: Did AT&T leak their email list publicly?

Keyboard Shortcuts