Anonymous hackers TechCrunch has learned that hacking into accounts of people with AT&T email addresses, and using that access to hack into a victim’s cryptocurrency exchange accounts and steal their cryptocurrency.
At the beginning of the month, an anonymous source told TechCrunch that a gang of cybercriminals had found a way to hack into the email addresses of anyone with att.net, sbcglobal.net, bellsouth.net, and other AT&T email addresses.
According to Tipster, hackers are able to do this because they have access to a portion of AT&T’s internal network, which allows them to generate any user’s mail keys. Mail keys are unique credentials that AT&T email users can use to log into their accounts with email applications such as Thunderbird or Outlook, but without having to use their passwords.
With the target’s mail key, hackers can use an email application to log into the target’s account and start resetting passwords for more profitable services, such as cryptocurrency exchanges. At this point, it’s game over for the victim, as hackers can reset the victim’s Coinbase or Gemini account password via email.
The guide provided a list of alleged victims. Two of the victims responded by confirming that they had been hacked.
AT&T spokesperson Jim Kimberly said the company has “identified the unauthorized creation of secure mail keys, which in some cases can be used to access an email account without requiring a password.”
“We’ve updated our security controls to prevent this activity. As a precaution, we’ve also proactively required password resets on some email accounts.”
AT&T declined to say how many people were infected in this wave of hacks. But the company, “as a precautionary measure,” closed some email accounts, and forced their owners to reset their passwords.
“This process eliminated any secure mail keys that were created,” the spokesperson added.
One of the victims told TechCrunch that the hackers stole $134,000 from his Coinbase account. The second victim said it had “happened over and over again since November 2022 – maybe 10 times at this point.” I noticed it happened when my Outlook client failed to “connect” and I quickly logged into (AT&T’s) B and delete its key and create a new one.”
“Very frustrating because the ‘hackers’ clearly have direct access to the database or files containing the customer’s Outlook keys, and the hackers do not need to know the user’s AT&T website login information to access and change the login keys,” added the victim.
Also, several people with AT&T and other related email addresses on Reddit said they had been hacked.
“Hi my email was hacked back in March of this year I have done everything I can to reset the password, security questions etc but sometimes I still get emails saying a secure mail key has been created on my account Unbeknownst to me one user wrote. “They will even delete the email notification so I don’t see it, but I recently changed to another email for profile updates so they can’t access. Seems this person still has access to my account but how? “
Another person writes: “I’ve had the same problem for several months and just started, the password didn’t change but the account got locked and somehow the mail key kept being generated.”
The tipster claims that the hackers can “reset any” AT&T email account, and that they made between $15 and $20 million in stolen cryptocurrency. (TechCrunch was unable to independently verify the advisor’s claim.)
TechCrunch has seen a screenshot apparently coming from a Telegram group chat, where a hacker claims that gand “has the entire AT&T employee database,” which gives them access to an internal AT&T employee portal called OPUS.
“The only thing we are missing is the certificate, which is the last key to access the VPN (AT&T) servers,” the hacker wrote in the Telegram channel.
The tipster said the gang now has access to AT&T’s internal VPN.
Kimberly, an AT&T spokesperson, denied that the hackers had any access to the company’s internal systems. “There was no intrusion into any system for this exploit. The bad actors used access to the API.”
Do you have more information about these hacks against AT&T email users? Or other similar tricks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, via Wickr, Telegram and Wirelorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.