AT&T Addresses Recent Data Set Released on the Dark Web
about.att.comGiven how lax AT&T is with this sad press release. They are fully expected to pay some fine, which they will pay after exhausting years of appeals. At that point, people will have forgotten. Impacted people get a check for $5 (if they are lucky). Business as usual.
Nobody goes to jail. Some offshore team is replaced with another bottom of the barrel contractor. Maybe a low ranking executive is given a slap on the wrists, internally. AT&T cuts some internal program to make up for loss (1 year moratorium on T&E for that team)
if the press release is out, they already have a deal for a 3.50 identity protection plan as a "fine"
I vaguely recall receiving a less than dollar amount check from some PayPal class action lawsuit. Maybe it was in 2012 or 2015.
So that’s also on the table.
AT&T have come a long way since room 641A. At least today they acknowledge their users had some right to privacy
Spot on prediction. We need to start pushing for jail for these people running (and owning) these businesses with such carelessness.
- yes. I mean all owners. Shareholders too. All it would take is once for shareholders to get slapped with prison relative to shares owned for this sh*t to stop.
> Shareholders too.
A proportionate share of jail-time days, rounded down. So retail investors would be fine.
No. Jail even folks buying ten shares on robinhood.
Let’s make it not ok to invest in corporations committing crime.
Apparently they encrypted customer passwords instead of one-way hashing [1].
"A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher."
"The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and Social Security numbers."
[1] https://techcrunch.com/2024/03/30/att-reset-account-passcode...
> Apparently they encrypted customer passwords instead of one-way hashing [1].
Pretty incredible, I use one way hashing for my own sites and I don't even have customers, just a couple of accounts I use when I want to demo something.
“There are only 9999 possible passcodes, why bother hashing them?” - AT&T, probably
PS small correction - “passcodes” were admittedly stolen which are numeric security codes that you have to verbally provide when calling in.
The correct approach is keyed hashing e.g. HMAC/KMAC for something like that, or...?
Yes but if the algorithm and salt gets to be known then there are very few possibilities (10^n where n is max length of passcode) and unless people are setting 50 digit passcodes, then it is very crackable.
It's crackable by those that have the secret key i.e. AT&T and whoever they leak their key to. But presumably it's harder to steal a secret key and a database entry than it is to steal just a database entry.
The salt just obscures whether two users have the same code
> AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web; source is still being assessed.
In the "about us" section
> We help more than 100 million U.S. families, friends and neighbors, plus nearly 2.5 million businesses, connect to greater possibility.
I like how they address themselves in the 3rd person. Did something bad? Use the passive voice and address yourself in the 3rd person.
While this might be a marketing tactic in such situations, in this case it's a press release, which is a format where it's common to speak about "yourself" in 3rd person. Look at their other press releases.
That's fair, it's so reporters can copy paste it. But given the seriousness here it would seem the CEO could have written something more personal. Though of course it covers their ass legally as it doesn't admit or imply guilt, even hits it's a contractor's fault, and nobody can accuse them of not "responding" any longer.
The only thing more shocking than these regular leaks, is how many banks assume that if you produce SSN and DOB of Person X then you're X! And if you're not X then that's X's problem — His identity got stolen!
Previous discussion: https://news.ycombinator.com/item?id=39754330
On the bright side, I haven’t ever had to pay for a credit monitoring service, and it looks like I don’t have to start now.
The three major credit buraux all have free monitoring services anyway. They're of course filled with dark patterns; at least one of them emails me more or less anytime an account reports 'your balance has gone up' or 'your balance has gone down', which is super useless, and can't be configured. But hopefully, I'll get notified if a new account is made, and it will be easier to get it closed while it's new.
Their website is truly pathetic leaving the burden on individuals to need to protect this information. They should bleed red severely for this in punitive damages to those impacted.