Decipher File · April 14 to April 25, 2024 exfiltration, July 12 disclosure

AT&T Call and Text Metadata Breach (Jul 2024): ~110M Records on Stolen Snowflake Tenant

AT&T filed an SEC Form 8-K on July 12, 2024 disclosing that call and text metadata for nearly all wireless customers and customers of certain mobile virtual network operators using AT&T's network had been exfiltrated from a third-party cloud platform. The third-party platform was Snowflake. The records covered approximately 110 million customers and included phone numbers, call and text counts, durations, and cell-site identifiers, but not content of calls or messages. Initial access used stolen Snowflake account credentials without multifactor authentication, the same vector that hit Ticketmaster, Santander, AdvanceAuto, Neiman Marcus, and other Snowflake customers in mid-2024. The DOJ allowed AT&T to delay public disclosure under SEC Rule 1.05(c) for national security reasons.

By·Published May 18, 2026·Last verified May 2026

MITRE ATT&CK techniques

T1078 Valid Accounts T1555.003 Credentials from Password Stores: Credentials from Web Browsers T1530 Data from Cloud Storage T1567.002 Exfiltration to Cloud Storage T1213 Data from Information Repositories

Incident summary

AT&T filed an SEC Form 8-K on July 12, 2024 disclosing that call and text metadata for nearly all of the company's wireless customers, plus customers of certain mobile virtual network operators (MVNOs) using AT&T's network, had been exfiltrated from a third-party cloud platform. The third-party platform was Snowflake. The exfiltration window was April 14 to April 25, 2024. The records covered approximately 110 million customers and included phone numbers, the dates and durations of calls and text messages, the counts of communications, and cell-site identifiers for certain records. Per AT&T's filing, content of calls and messages was not affected, and customer name, Social Security number, date of birth, or financial data were not in the affected dataset.

AT&T's 8-K explicitly stated that the Department of Justice had directed AT&T to delay public disclosure twice under SEC Rule 1.05(c), which permits disclosure delay for material cybersecurity incidents when the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety. AT&T detected the unauthorized access on April 19, 2024 and would normally have been required to disclose within four business days of materiality determination under the SEC's July 2023 cybersecurity disclosure rule. The DOJ-authorized delay produced a roughly 90-day gap between detection and public disclosure, which the DOJ later confirmed publicly was based on national security concerns related to active law enforcement and intelligence investigations.

The intrusion was operationally identical to the broader Snowflake customer breach campaign documented by Mandiant on June 10, 2024 as UNC5537 activity. The initial access vector across the campaign was stolen Snowflake account credentials obtained from infostealer malware on customer or contractor endpoints, used against Snowflake accounts that did not have multifactor authentication enforced. Other victims in the same campaign included Ticketmaster, Santander, AdvanceAuto Parts, Neiman Marcus, LendingTree, and Pure Storage. Snowflake itself was not breached. The vector was customer-side credential compromise plus customer-side MFA absence.

Attack technique

Per Mandiant's June 10, 2024 UNC5537 brief and Snowflake's June 2, 2024 customer advisory, the technique chain across the Snowflake customer campaign began with infostealer malware on customer or contractor endpoints. Common infostealer families involved included Vidar, Lumma, RisePro, and Redline. The malware extracted browser-stored credentials including Snowflake workspace login credentials. The credentials were sold or used directly by UNC5537 actors to authenticate to victim Snowflake accounts. The AT&T-specific case followed this pattern.

Where the targeted Snowflake account had not enrolled in multifactor authentication, the stolen credentials authenticated successfully without further obstacle. Snowflake's product permitted password-only authentication as a default configuration during the campaign window, though Snowflake had documented MFA enrollment as a baseline best practice. After June 2, 2024, Snowflake required MFA enrollment for new accounts and progressively enforced it for existing accounts. The AT&T Snowflake account configuration during the April 14 to April 25 window did not have MFA enforced for the affected service principal or user.

Post-authentication, UNC5537 ran SQL queries against the AT&T Snowflake tables containing call detail records (CDRs) and text message metadata. CDRs are the structured data that mobile carriers maintain for billing, network operations, and lawful-intercept response. Each CDR includes the calling and called phone numbers, the time the call started, the call duration, and for certain records the cell-site identifier indicating the cell tower that handled the call. CDR table sizes at major carriers are measured in tens of billions of rows. The exfiltration of 110 million customers' worth of CDR data required automated bulk SQL queries plus high-volume cloud-to-cloud data transfer over the April 14 to April 25 window.

The actor exfiltrated the data to attacker-controlled cloud storage and subsequently extorted AT&T directly. Per Wall Street Journal reporting on July 14, 2024, AT&T paid approximately $370,000 in bitcoin to the actor in exchange for a video purporting to show deletion of the stolen records. The payment, while a fraction of typical major-victim ransomware payments, was operationally significant because AT&T paid before public disclosure and the payment was reported only after the disclosure. The deletion video's actual evidentiary value is disputed in security industry analysis, since possession-and-deletion claims by ransomware actors are not independently verifiable.

Impact and consequences

Customer-data scope at approximately 110 million is among the largest single-incident customer-data disclosures in US history. The affected dataset was metadata (CDRs) rather than communications content, which is a meaningful distinction legally and practically. CDRs alone do not contain the substance of conversations, but they are surveillance-grade behavioral data. Aggregate analysis of CDRs reveals social network relationships, location patterns through cell-site associations, and communication frequency patterns. For specific high-value targets including journalists, government officials, defense industry personnel, and intelligence sources, CDR exposure is operationally consequential even without communications content.

Customer notification ran through late July and August 2024. AT&T sent customer letters explaining that call and text metadata had been affected and offering identity-monitoring services. The customer notification distinguished the July 12 incident from the separate March 2024 AT&T disclosure of customer personal information leaked on a dark web forum, which was a different incident with a different vector. The two AT&T incidents in 2024 produced customer-side confusion and the trade press extensively documented the distinction.

Regulatory and litigation consequence followed. State attorneys general opened coordinated investigations under state breach-notification laws. The Federal Communications Commission opened an inquiry under the agency's CPNI (Customer Proprietary Network Information) regulations, which give the FCC enforcement authority over carrier data protection. Class action litigation followed within days of the July 12 disclosure. The DOJ-authorized disclosure delay also raised separate policy and legal questions about the procedure under SEC Rule 1.05(c), which had not previously been invoked at this scale.

The Snowflake campaign as a whole reset enterprise cloud identity expectations. Before mid-2024, multifactor authentication on enterprise SaaS workloads, while a documented best practice, was not uniformly enforced. After the Snowflake campaign, Snowflake required MFA for new accounts, AWS published guidance on IAM Identity Center and MFA enforcement, Google Cloud expanded BeyondCorp posture requirements, and CISA issued advisories on enterprise cloud identity baselines. The 110-million-customer metadata exposure at AT&T became one of the most cited reference incidents in the broader cloud identity baseline conversation.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

› Snowflake login activity from credentials stolen via infostealer malware on customer or contractor endpoints, per Mandiant UNC5537 reporting
› Snowflake account access without multifactor authentication enrollment, per Snowflake's June 2024 customer advisory
› Bulk SQL query patterns extracting call detail records and text message metadata at volume from the AT&T Snowflake tenant
› Outbound data transfers from Snowflake cloud storage to attacker-controlled cloud storage between April 14 and April 25, 2024
› Threat actor demands for ransom or extortion payment via leaked-data forum posts attributed to ShinyHunters and adjacent actors
› Ticketmaster, Santander, AdvanceAuto, and Neiman Marcus disclosures showing the same Snowflake credential-theft vector through June and July 2024

Lessons for defenders

Multifactor authentication on every cloud data platform account is now a baseline requirement, not a best practice. The Snowflake customer campaign hit specifically the accounts that did not have MFA enforced. Cloud data platforms, cloud data warehouses, cloud business intelligence platforms, cloud analytics platforms, and equivalent data-rich SaaS platforms must have MFA enforced at the identity provider level for all human users and key-pair authentication for all service principals. Service-principal authentication should never rely on long-lived passwords. Audit every cloud data platform account in your environment for MFA enforcement and key-pair rotation cadence.

Infostealer malware on customer and contractor endpoints is the structural initial access vector. The AT&T case shows that the compromise did not have to happen at AT&T directly. A contractor or service provider endpoint compromise produced the credentials that authenticated to AT&T's Snowflake tenant. Audit your third-party and contractor access patterns: which contractors have credential-based access to your cloud data platforms, what endpoint posture do those contractors maintain, and what identity controls (MFA, IP allowlisting, device trust) do you require for that access. The conventional answer of trusting contractor identity assertions is no longer adequate.

Cell detail record table access controls deserve specific attention beyond general cloud identity baselines. CDRs are surveillance-grade data with national security and operational sensitivity. Telco operators should treat CDR table access as a high-sensitivity privilege managed with separate identity tiering, separate audit logging, and separate access review processes from general data platform access. The same principle applies to financial transaction tables, healthcare clinical data, and any other table category with concentrated sensitivity. Tier your data, tier your access controls.

SEC Rule 1.05(c) disclosure delays under DOJ direction are now a known regulatory possibility. The AT&T case was the first major public invocation of the rule at this scale. Build awareness into the incident response playbook for the case where law enforcement or intelligence agencies request a delay determination. The procedure for engaging the DOJ on a delay determination, the standards the DOJ applies, and the operational implications for ongoing incident response work are documented in DOJ public guidance issued late 2024 in response to the AT&T case.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

Related Decipher Files

Tracking AI-system incidents and policy events? Browse Applied AI Decipher Files →

Frequently asked questions

What happened in the AT&T call and text metadata breach?

On July 12, 2024 AT&T disclosed in an SEC Form 8-K that call and text metadata for approximately 110 million wireless customers and certain MVNO customers had been exfiltrated from a third-party cloud platform between April 14 and April 25, 2024. The third-party platform was Snowflake. The affected data included phone numbers, call and text counts and durations, and cell-site identifiers, but not the content of calls or messages. The DOJ directed AT&T to delay public disclosure twice under SEC Rule 1.05(c) for national security reasons.

How did the AT&T Snowflake breach happen?

Per Mandiant's June 10, 2024 UNC5537 brief, the broader Snowflake customer campaign used stolen Snowflake account credentials obtained from infostealer malware on customer or contractor endpoints. The stolen credentials were used against Snowflake accounts that did not have multifactor authentication enforced. The AT&T Snowflake account configuration during the April 2024 window did not have MFA enforced for the affected service principal or user. The vector was customer-side credential compromise plus customer-side MFA absence; Snowflake itself was not breached.

Was the AT&T 110 million customer breach the same as the March 2024 AT&T leak?

No. The July 12, 2024 AT&T disclosure of call and text metadata exposure from Snowflake is a separate incident from the March 2024 AT&T disclosure of customer personal information leaked on a dark web forum. The two incidents had different vectors, different affected data categories, and different timelines. The March 2024 incident involved older customer personal data leaked publicly. The July 2024 incident involved CDR metadata exfiltrated from Snowflake.

What data was affected in the AT&T call and text breach?

Per AT&T's July 12 8-K and customer notifications, the affected dataset included phone numbers, the dates and durations of calls and text messages, the counts of communications, and cell-site identifiers for certain records. The content of calls or messages was not affected. Customer name, Social Security number, date of birth, and financial data were not in the affected dataset. The metadata is operationally consequential despite the absence of content, particularly for surveillance-grade behavioral analysis.

Did AT&T pay a ransom?

Per Wall Street Journal reporting on July 14, 2024, AT&T paid approximately $370,000 in bitcoin to the actor in exchange for a video purporting to show deletion of the stolen records. The payment was made before public disclosure and was reported in the press after the disclosure. The deletion video's actual evidentiary value is disputed in security industry analysis, since possession-and-deletion claims by ransomware actors are not independently verifiable. AT&T has not separately confirmed the payment amount in SEC filings.

Why was AT&T allowed to delay the disclosure?

The Department of Justice directed AT&T to delay public disclosure twice under SEC Rule 1.05(c), which permits disclosure delay for material cybersecurity incidents when the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety. The DOJ later confirmed publicly that the delay was based on active law enforcement and intelligence investigations. The AT&T case was the first major public invocation of the rule at this scale and produced a reference template for future delay determinations.

What can other organizations learn from the AT&T breach?

Multifactor authentication on every cloud data platform account is now a baseline requirement, not a best practice. Infostealer malware on contractor and third-party endpoints is the structural initial access vector and requires identity controls beyond trusting contractor identity assertions. Surveillance-grade data including call detail records, financial transactions, and healthcare clinical data require separate identity tiering and access review from general data platform access. SEC Rule 1.05(c) disclosure delays under DOJ direction are now a known regulatory possibility that the incident response playbook should account for.

Sources

AT&T SEC Form 8-K (July 12, 2024) · AT&T's primary disclosure of the call and text metadata breach
AT&T Customer Notice and Investor Statement · AT&T's customer-facing and investor-facing statements on incident scope and customer notification
Mandiant Threat Brief: UNC5537 Targets Snowflake Customer Instances · Mandiant's June 10, 2024 attribution and TTP analysis of the Snowflake customer breach campaign
Snowflake: Detecting and Preventing Unauthorized User Access (June 2, 2024) · Snowflake's customer advisory on the credential-theft vector and required MFA enrollment
Wall Street Journal: AT&T Paid Hacker $370K to Delete Stolen Phone Records · WSJ July 14, 2024 reporting on the ransom payment made to delete stolen records
Department of Justice Delay Determination Notice · DOJ public statement on the disclosure-delay determination under SEC Rule 1.05(c)

DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.

Last verified: 2026-05-18?Report an inaccuracy

This role lives inside a packaged path

Want the curriculum, comp delta, and recommended courses for this role?

DecipherU bundles cybersecurity roles into a small set of packaged paths. Each path has the curriculum sequence, the compensation delta it unlocks, and the recommended courses, all pre-set. Two ways in:

Take the 2-min Risk Score →Open the cybersecurity path hub →

Where to go next

Three next steps depending on where you are. The first two are free.

Free · 2 minutes

Start with the AI Risk Score

Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.

Start the AI Risk Score →

Paid program · $147-$597

Aligned course: SOC Analyst Fundamentals

Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.

View the course →

Free account

Save your results and track progress

A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.

Create your account →

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

By subscribing you agree to our privacy policy. Unsubscribe anytime.