Learn more about John Martinez (and his trust issues) and how to mitigate risk with MFA.
Hey everybody.
Welcome to another episode of John Has Trust Issues, where I talk about issues relevant to the worlds of zero trust and authorization in a few minutes.
My name is John Martinez, and I’m the technical evangelist at StrongDM.
My trust issue today stems from that voicemail - because I don’t pick up phone calls anymore - about a free weekend in Hawaii, followed by a text message saying I just need to attend a three-hour session at a hotel somewhere in town. Yeah, I’m good. Thank you.
Let’s talk about an issue that has hit a lot of people around the country. Reports say that over 100 million people were affected. Almost every AT&T customer has been impacted by this latest data breach.
This one has an interesting twist because it’s related to the Snowflake attacks - specifically attacks on Snowflake environments run by customers in late spring of 2024.
As disclosed by AT&T on January 12, and widely reported by outlets like TechCrunch and SC Media, nearly all AT&T customers were affected. We’re talking about call logs, text record logs, and metadata that was breached and stolen from AT&T’s Snowflake environment.
In an interesting twist, Wired reported that the hacker who stole the data was paid $370,000 by AT&T to delete it. An intermediary between the hacker and AT&T believes the only copy of the data was deleted, based on access to the storage bucket where it was stored. That’s what’s been reported.
So what was stolen, and how could this affect you?
Call logs were stolen—the records of calls made and received. Text logs were also included—not the content, but the metadata showing which numbers communicated with each other. Additionally, cell site ID information for a subset of records was leaked.
This kind of data can be damaging. It allows someone to connect relationships between phone numbers, build patterns, and effectively create a social graph. With reverse lookups, they could identify individuals and map communication networks.
This raises privacy concerns, as well as potential personal and even national security implications.
AT&T has stated that determining exact locations from the cell site data would be difficult without deep knowledge of telecom infrastructure, so that risk is lower.
Also, according to reports, no other PII - like social security numbers or dates of birth—was exposed.
So what can you do?
First, follow basic security hygiene. Rotate your passwords, make them strong and unique, and encourage your family members to do the same.
Second, use MFA everywhere. Better yet, use phishing-resistant MFA, time-based codes, or passkeys where possible. Modern password managers make this much easier.
Third, expect an increase in spam calls and texts. Ignore them, report them, and use built-in protections on your device.
That’s from a consumer perspective.
From an enterprise perspective, it’s easy to point fingers at Snowflake, but this comes down to shared responsibility. Cloud providers secure the infrastructure - you are responsible for securing how you use it.
This likely involved an account without MFA and possibly compromised credentials from a legitimate user. That’s a common pattern.
So here are some minimum recommendations:
Enable phishing-resistant MFA everywhere, including at the database level.
Monitor for misconfigurations and respond quickly to reduce exposure time.
Use identity federation so you can rely on your identity provider’s MFA and eliminate local credentials.
Follow your cloud provider’s shared responsibility model and security best practices.
At a more advanced level, adopt a zero trust approach - no standing access, no standing privileges, and continuous verification.
Solutions like StrongDM can help enforce this with policy-based access control and dynamic MFA triggers based on user actions.
At the end of the day, the goal is to protect sensitive data by tightly controlling access and continuously validating users.
I’d love to hear your thoughts - whether you’ve been affected or what best practices you’re using in your environment.
That’s another episode of John Has Trust Issues. This episode was brought to you by StrongDM, the modern access management platform that enables continuous zero trust authorization for all your critical infrastructure.
Thank you, and have a great day.
