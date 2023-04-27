Hackers are said to have targeted people using AT&T email addresses in a sequence of attacks that gave them access to cryptocurrency exchanges and allowed them to take victims’ digital assets, reportedly making away with $134,000 from a single user.

How AT&T email addresses are compromised

According to reports made by an anonymous source at the beginning of the month, the group of hackers has discovered a means to access the email accounts of users with att.net, sbcglobal.net, bellsouth.net, or other AT&T email addresses.

The informant further claimed that the hackers are able to create mail keys for any user since they have access to a portion of AT&T’s internal network.

Exclusive: Hackers said they had access to AT&T's internal network, which allowed them to break into customers' email accounts and steal their cryptocurrency. AT&T said it has "updated our security controls to prevent this activity."https://t.co/V9HLXFVUzV — TechCrunch (@TechCrunch) April 27, 2023

Mail keys are 16-character special credentials that owners of AT&T email addresses can use to access their accounts through email clients like Thunderbird or Outlook rather than entering their passwords.

Therefore, once the hacker has acquired a user’s mail key, they can access the target’s account via an email program and begin changing passwords for more profitable sites, such as cryptocurrency exchanges.

The attackers can further email the victim to reset their Coinbase or Gemini account password without the victim’s suspicion or knowledge of an ongoing attack.

According to Jim Kimberly, the company’s spokesperson, AT&T had “identified the unauthorized creation of secure mail keys, which can be used in some cases to access an email account without needing a password.”

The spokesperson further added:

We have updated our security controls to prevent this activity. As a precaution, we also proactively required a password reset on some email accounts.

This required the account owners to change their passwords.

Along with the report, the anonymous source additionally provided a list of alleged victims of the cybercrime incident, two of which confirmed having been hacked.

One victim revealed that he had lost $134,000 to the hackers from his Coinbase account while the other victim stated that they have been hacked severally.

It has been happening repeatedly since November 2022, probably 10 times at this point. I notice it has been done when my Outlook client fails to ‘connect’ and I quickly log into my [AT&T] site and delete their key and create a new one.

“Very frustrating because it is obvious that the ‘hackers’ have direct access to the database or files containing these customer Outlook keys, and the hackers don’t need to know the user’s AT&T website login to access and change these Outlook login keys,” the victim added.

“We have the entire AT&T employee database,” says the Hackers

These are not the only victims who have spoken up. Several other users with AT&T and other connected email accounts have come up on Reddit claiming to have also been hacked.

“Hello, my email was compromised back in March of this year and I have done everything I can to reset the password, security questions, etc but occasionally I’m still getting emails that a secure mail key has been created on my account without my knowledge,” one user wrote.

“They would even delete the email notification so I don’t see it but I recently changed to another email for profile updates so they don’t have access. This sounds like someone still has access to my account but how?” they added.

Moreover, the source alleges that the hackers have made between $15 and $20 million in stolen cryptocurrency and that they are able to reset any AT&T email account, a claim that is yet to be confirmed.

While AT&T, through its spokesperson, has denied that the hackers had any access to private business networks, the attackers and anonymous informant say otherwise. The hackers stated on a Telegram channel that they “have the entire AT&T employee database,” enabling them to access the company’s internal OPUS employee portal.

They also said, “Only thing we are missing is a certificate, which is the last key to accessing the [AT&T] VPN servers,” which based on the informant’s report, they already have access to the internal VPN servers.

Regardless, AT&T maintains that “There was no intrusion into any system for this exploit. The bad actors used an API access.”

