The US telecommunications giant AT&T has revealed a major data breach affecting almost all of its customers. Hackers accessed and copied the data from AT&T's workspace on a third-party cloud platform, the company said.

According to a filing with the US Securities and Exchange Commission (SEC) filing, on April 19, 2024, AT&T discovered that call logs had been accessed and unlawfully copied. The stolen data includes records of calls and texts of nearly all of AT&T's cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, and AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022, and October 31, 2022. Additionally, some of the stolen data includes more recent records from January 2, 2023, for a smaller number of customers.

The compromised data also affects call records of customers with phone service from other cell carriers that rely on AT&T's network. AT&T has clarified that the stolen data does not contain the content of calls or texts but includes calling and texting records, the total count of a customer's calls and texts, and call durations. Some of the stolen records include cell site identification numbers, which can determine the approximate location of where a call was made or a text message sent.

A hacker, who claims responsibility for the theft of sensitive call and text logs, stated they were paid about $400,000 to erase the data trove, Bloomberg reported. An analysis of a Bitcoin wallet address provided by the hacker shows a transaction in mid-May that analysts believe corresponds to an extortion payment. A person familiar with the ransomware negotiations, speaking anonymously, confirmed the payment from AT&T to the hacker.

An AT&T spokesperson declined to comment on whether the company paid a ransom to mitigate the fallout from the breach, which potentially exposed a vast cache of call and text logs from nearly all its wireless customers during a six-month period in 2022. The breach is the most recent incident linked to a security incident at the data analysis software provider Snowflake, which involved a financially motivated threat actor, known as UNC5537, targeting Snowflake customer database instances in a broad campaign aimed at data theft and extortion.

AT&T said the FBI is investigating, and at least one person has been arrested in connection with the breach.