Large AT&T Data Breach Shows Weakness of 4-digit Passcodes

The U.S. Telco giant, AT&T, was compelled to reset millions of customer account passcodes during the final days of March 2024 in relation to a security breach that traces back to August 2021. During that time, a hacker known as “Shiny Hunters” claimed to have infiltrated AT&T’s systems, posting a small sample of records to substantiate the claim. However, this sample was too limited to conclusively verify the breach, leaving the incident in doubt until a substantial trove of 73 million records was later discovered on the dark web. It is believed that these records, dating back to 2019, encompass data from 7.6 million active accounts and 65.4 million from former account holders. The exposed data included customers’ names, home addresses, phone numbers, dates of birth (DOB), and Social Security numbers (SSNs).

AT&T implemented 4-digit passcodes as an additional security layer, a practice practiced today by some companies today. These passcodes are often required when customers call into a service center or manage their accounts at some retail locations. Wireless customers also had the option to activate this extra security measure for account access. However, the use of 4-digit passcodes presents a significant vulnerability due to the limited number of possible numerical combinations, ranging from 0000 to 9999, totaling just 10,000 options. Even with random generation, a 4-character PIN can easily fall prey to brute force attacks, where an attacker tries every possible combination quickly with modern computing power.

While AT&T encrypted the passcode data, the account data remained unencrypted. Because people often choose PINs that have personal significance, such as the last four digits of their Social Security number, their house number, or birth year, it becomes feasible for an attacker to guess the passcode using the leaked dataset information. If the encryption on the passcode data were to be broken, the need for guessing would be eliminated, further exposing customer data to unauthorized access.

Unfortunately, investigating a data breach that occurred nearly three years ago poses significant challenges. AT&T has indicated that it cannot definitively confirm whether the leaked data originated from its own systems or from one of its vendors. Furthermore, there is currently no evidence of unauthorized access to its systems that could explain the data exfiltration. In response, AT&T has proactively reset the passcodes for all current account holders and has informed its customers about the steps they can take to further protect their information.

Robust multi-factor authentication (MFA) relies on the premise of combining two or more independent credentials: what you know (a password or PIN), what you have (a security token or mobile phone), and what you are (biometric verification). The 4-character PIN in this instance, relied on the same factor of “something you know” as the PIN was not delivered to a separate device. Due to this inherent weaknesses, passcodes do not contribute significantly to the security level needed when used as the “what you know” factor. Robust MFA must be set up to combine at least two of the following authentication factors MFA systems are most effective when each factor compensates for the potential vulnerabilities of the other, providing layered defenses. Each factor should complement the others to cover potential vulnerabilities. The setup should ensure that the credentials are independent so that compromise of one does not lead to the compromise of another. In addition, strict policies should be enforced to enforce password complexity and renewal, secure handling and storage of biometric data, and the secure registration and authentication of devices and tokens used in the process. Additional security measures such as encryption for the storing of sensitive information and data transmission along with strict access controls are vital as well.

KEEPING YOU INFORMED – HALOCK SECURITY BRIEFING FOR CLIENTS

The HALOCK Security Briefing is a review of significant events, trends, and movements that will influence how you manage cybersecurity, risk, and compliance. Our clients receive periodic overviews with an extensive report file on the topics discussed. This insightful document also includes reference links throughout the report for easy navigation and deeper research.