Hackers are breaking into AT&T email accounts to steal cryptocurrency

Unknown hackers are breaking into the accounts of people that have AT&T e-mail addresses, and utilizing that entry to then hack into the sufferer’s cryptocurrency change’s accounts and steal their crypto, TechCrunch has discovered.

At first of the month, an nameless supply informed TechCrunch {that a} gang of cybercriminals have discovered a solution to hack into the e-mail addresses of anybody who has an att.web, sbcglobal.web, bellsouth.web and different AT&T e-mail addresses.

In accordance with the tipster, the hackers are ready to try this as a result of they’ve entry to part of AT&T’s inner community, which permits them to create mail keys for any consumer. Mail keys are distinctive credentials that AT&T e-mail customers can use to log into their accounts using email apps such as Thunderbird or Outlook, however with out having to make use of their passwords.

With a goal’s mail key, the hackers can use an e-mail app to log into the goal’s account and begin resetting passwords for extra profitable providers, equivalent to cryptocurrency exchanges. At that time it’s recreation over for the sufferer, because the hackers can then reset the sufferer’s Coinbase or Gemini account password through e-mail.

The tipster offered a listing of alleged victims. Two of the victims replied, confirming they’ve been hacked.

AT&T spokesperson Jim Kimberly stated that the corporate “recognized the unauthorized creation of safe mail keys, which can be utilized in some instances to entry an e-mail account while not having a password.”

“We have now up to date our safety controls to stop this exercise. As a precaution, we additionally proactively required a password reset on some e-mail accounts,” the spokesperson stated, forcing the account homeowners to reset their passwords.

AT&T declined to say how many individuals have been hit on this wave of hacks. “This course of worn out any safe mail keys that had been created,” the spokesperson added.

One sufferer informed TechCrunch that hackers stole $134,000 from his Coinbase account. The second sufferer stated that “it has been occurring repeatedly since November 2022 — in all probability 10 instances at this level. I discover it has been completed when my Outlook shopper fails to ‘join’ and I shortly login to my [AT&T] web site and delete their key and create a brand new one.”

“Very irritating as a result of it’s apparent that the ‘hackers’ have direct entry to the database or recordsdata containing these buyer Outlook keys, and the hackers don’t must know the consumer’s AT&T web site login to entry and alter these outlook login keys,” the sufferer added.

Additionally, several people with AT&T and other related email addresses stated on Reddit that they’ve been hacked.

“Hey, my e-mail was compromised again in March of this 12 months and I’ve completed all the pieces I can to reset password, safety questions, and so forth however often I’m nonetheless getting emails {that a} safe mail key has been created on my account with out my data,” one consumer wrote. “They might even delete the e-mail notification so I don’t see it however I not too long ago modified to a different e-mail for profile updates in order that they don’t have entry. This seems like somebody nonetheless has entry to my account however how?”

One other individual wrote: “I’ve had the identical subject for months and simply began once more, password wasn’t modified however account locked out and a Mail Key retains being created someway.”

The tipster claims that the hackers can “reset any” AT&T e-mail account, and that they’ve made between $15 and $20 million in stolen crypto. (TechCrunch couldn’t independently confirm the tipster’s declare.)

TechCrunch has seen a screenshot apparently coming from a Telegram group chat, the place one of many hackers claims that the gang “have the whole AT&T worker database,” which permits them to entry an inner AT&T portal for workers known as OPUS.

“Solely factor we’re lacking is a certificates, which is the final key to accessing the [AT&T] VPN servers,” the hacker wrote within the Telegram channel, in accordance with the screenshot.

The tipster stated that the gang now has entry to AT&T’s inner VPN.

Kimberly, the AT&T’s spokesperson, denied that the hackers had any entry to inner firm methods. “There was no intrusion into any system for this exploit. The unhealthy actors used an API entry.”

Do you could have extra details about these hacks towards AT&T e-mail customers? Or different related hacks? We’d love to listen to from you. You’ll be able to contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or through Wickr, Telegram and Wire @lorenzofb, or e-mail lorenzo@techcrunch.com. You may as well contact TechCrunch through SecureDrop.