According to reports, Hackers are breaching the accounts of individuals with AT&T email addresses and leveraging that access to break into their cryptocurrency exchange accounts, stealing their digital assets.
Earlier this month, an anonymous source informed reporters that a group of cybercriminals had identified a technique to hack into the email addresses of anyone with att.net, sbcglobal.net, bellsouth.net, and other AT&T email addresses.
As per the informant, the hackers can accomplish this feat by exploiting a section of AT&T’s internal network, which allows them to generate mail keys for any user. These mail keys are exclusive credentials that enable AT&T email users to access their accounts via email apps such as Thunderbird or Outlook without requiring their passwords.
Once the hackers have acquired a target’s mail key, they can use an email app to log in and reset passwords for more lucrative services such as cryptocurrency exchanges. This is where the real damage occurs for the victim, as the hackers can then easily reset the victim’s password for accounts like Coinbase or Gemini via email, resulting in a complete account takeover.
An anonymous source provided reporters with a list of potential victims, two of whom confirmed they had been hacked.
Jim Kimberly, an AT&T spokesperson, acknowledged that the company had detected the unauthorized creation of secure mail keys that could be used to access an email account without requiring a password. He further stated that the company had implemented updated security controls to prevent this type of activity and, as a precautionary measure, had proactively mandated a password reset for some email accounts.
AT&T declined to disclose the exact number of individuals affected in this hacking spree. However, as a security measure, the company has locked certain email accounts, requiring owners to reset their passwords.
The spokesperson explained that this reset process eliminated any previously created secure mail keys.
One victim shared that hackers drained $134,000 from his Coinbase account. The second victim disclosed that this has been happening frequently since November 2022, approximately ten times to date. The victim identified the occurrence by noticing an inability to connect with their Outlook client, logging in to the AT&T site to delete the hackers’ mail key, and establishing a new one.
The victim expressed frustration, claiming that the hackers directly accessed the database or files containing these customer Outlook keys. Additionally, the victim highlighted that the hackers could alter these Outlook login keys without requiring knowledge of the user’s AT&T website login credentials.
Multiple Reddit users with email addresses linked to AT&T and other related services have reported being hacked. One user shared that their email was compromised in March of this year, and despite taking steps to reset their password and security questions, they continue to receive notifications that a secure mail key has been created on their account without their knowledge.
The hackers have allegedly deleted the email notifications to avoid detection. While the user has since changed to a different email for profile updates, they are concerned that the hackers still have access to their account.
Similarly, another Reddit user stated that they have been experiencing the same issue for months, with their account being locked out and a mail key continually being created without their authorization, despite not changing their password.
A screenshot reportedly from a Telegram group chat has surfaced, showing one of the hackers claiming to possess the entire AT&T employee database, providing them access to an internal employee portal called OPUS.
The hacker mentioned in the chat that the only thing missing was a certificate to access the VPN servers of AT&T.
According to the anonymous tipster, the hackers have now entered AT&T’s internal VPN. However, AT&T spokesperson Kimberly has denied any breach of the company’s internal systems, stating that the hackers used API access and did not intrude into any system for this exploit.