Snowflake Hackers Identified and Accused of Stealing 50 Billion AT&T Records

The US government has accused Connor Moucka and John Binns of being the hackers who broke into AT&T’s systems and stole some 50 billion customer phone and text data.

In July, AT&T said hackers stole the phone data of “nearly all” of its mobile and landline customersas well as call and text message data, such as who contacted whom by phone or text message, but not the content of the messages. AT&T said at the time that it would notify about 110 million AT&T customers of the breach, and that the data was stolen from its systems hosted on Snowflake, a provider of cloud data analytics services.

Until the Justice Department’s indictment against the two hackers, which was filed Sunday, the total amount of stolen AT&T customer data was unknown.

The document does not mention AT&T. Instead, it lists “Victim-2,” describing it as “a major telecommunications company based in the United States,” which was hacked around April 14. When AT&T previously confirmed a breach, it said the company learned of the hack in April. 19. This means that both the description of what kind of company Victim-2 is, and the dates of the breach, match what AT&T has publicly disclosed, making it almost certain that Victim-2 is indeed AT&T.

AT&T did not respond to a request for comment.

DOJ spokesperson Emily Langlie declined to comment.

Contact us

Do you have more information about the AT&T breach? Or other Snowflake-related breaches? From a non-work device, you can securely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You can also contact TechCrunch at SecureDrop.

General, according to the complaintMoucka and Binns had access to “billions of sensitive customer data” and were successful in extorting at least three victims of at least 36 bitcoin (approximately $2.5 million when the victims paid) over a span of almost a year, from approximately November 2023 until October 10 this year.

Prosecutors say Moucka, who lived in Canada, was also known online as “judische,” “catist,” “waif” and “cllyels,” and that Binns, who lived in Turkey, was known as “irdev” and “j_irdev1337” . Moucka was arrested in Canada last week. Binns was previously arrested in Turkey, according to 404 Media.

In August, Binns took credit for the breach against AT&T with The Wall Street Journal. Moucka, under his nickname ‘Judische’, told 404 Media that he thought he would be arrested soon.

AT&T is just one of many victims who has had sensitive data stolen from their Snowflake instances. Hackers have also broken in in recent months Santander bank, TicketmasterAnd approximately 165 other business customers. All of these companies use Snowflake.

Prosecutors alleged that by breaking into the victim companies’ Snowflake instances, the hackers stole large amounts of sensitive personal and corporate data, including Social Security numbers, driver’s license numbers, passport numbers and banking information. the worst cyber attacks of the year. In some cases, the hackers also asked the victims for ransoms by threatening them with leaking the stolen information, threats they sometimes followed through on.

Wired previously reported that AT&T paid a hacker $370,000 in an attempt to get them to delete the stolen data. Prosecutors said in the indictment that Victim-2 paid a ransom to the hackers.

This story has been updated with a “No comment” message from DOJ.