Users' Data Target Of 'Targeted Attack' on AT&T

New submitter fran6gagne writes "AT&T [Monday] notified customers of an effort by hackers to collect online account information. It is not believed that the perpetrators of this attack obtained access to sensitive information." eWeek's account has a bit more detail.

Re:Target of targeted attack?

[Lunix+Nutcase]

That's the brilliant "editing" work of timothy. The original articles used "organized and systematic" attack but timothy must have thought that was too clear and not redundant enough for the slashdot title.

(One of) My problems with AT&T...

[jesseck]

When I signed up for a UVerse account, they provided the login details. They had my username (previously tied to DSL), no biggie. But then the technician at the house was able to pull up my password. MY password. It's stored in a reversible manner (if encrypted at all)- why the fuck? This does not surprise me that AT&T was targeted, and I'm sure they have millions of customers that believe they password is safe. Since then, I don't trust AT&T or that account for anything important.

Re:(One of) My problems with AT&T...

[certain+death]

You mean they are serious about protecting _THEIR OWN_ data, not customers data.

phone numbers may be enumerated

It appears that they are just enumerating which phone numbers are set up with online account access. This can be done via the account setup page. The login page itself will not tell you if an account exists or doesn't exist, but the setup page will. Likely, this is a first step to later brute force passwords. Given that the username is the phone number, they can then just try and find one that has an account set up with AT&T's web site. The daily internet storm center podcast had some details about this. http://isc.sans.edu/podcastdetail.html

Next up

[mr1911]

It is not believed that the perpetrators of this attack obtained access to sensitive information.

AT&T does not consider any of its customer's personal data as "sensitive information".