The telecommunications company revealed today, Friday, that call and text message records from the middle to late 2022 for tens of millions of AT&T mobile phone customers and many non-AT&T customers were exposed in a massive data breach.

AT&T stated that the breached data includes phone numbers of "almost all" of its cellular customers and wireless service providers using its network between May 1, 2022, and October 31, 2022.

The stolen records also contain a log of each number that AT&T customers contacted or sent text messages to – including customers of other wireless networks – and the frequency of interactions, along with the duration of the call.

Importantly, AT&T said that the stolen data did not include the contents of calls and text messages or the timing of those communications.

AT&T added that records of a "very small number" of customers as of January 2, 2023, are also involved.

The Federal Communications Commission (FCC) stated on the social media platform X: "We have an ongoing investigation into the AT&T breach and are coordinating with our law enforcement partners."

The company blamed “illegal downloading” on a third-party cloud platform that it became aware of in April – just as the company was grappling with an unrelated major data leak.

AT&T said it does not believe that the exposed data is publicly available, but CNN could not independently verify this claim.

Alex Byers, a spokesperson for AT&T, told CNN that this is a completely new incident "and is in no way connected" to another incident disclosed in March. At that time, AT&T stated that personal information like Social Security numbers for 73 million current and former customers had been posted on the dark web.

The company stated regarding the recent breach: "We deeply regret this incident and remain committed to protecting the information in our care."

AT&T listed nearly 110 million wireless subscribers by the end of 2022. AT&T stated that international calls were not included in the stolen data, except for calls to Canada.

The breach also involved AT&T landline customers who interacted with these mobile phone numbers.

AT&T stated that the contents of calls or text messages or personal information such as Social Security numbers or dates of birth or customer names were not disclosed in this incident; however, the company acknowledged that publicly available tools can often link names to specific phone numbers.

Additionally, AT&T stated that for a non-disclosed subset of its records, one or more cell site identifiers associated with the calls and text messages were also revealed. Such data may disclose the broad geographical location of one or more parties.

AT&T promised to notify current and former customers whose information was included and provide them with resources to protect their information.

Details of usage such as timing of calls and text messages were also not compromised. However, spokesperson Byers told CNN that the number of calls and text messages and total call durations for specific days or months were disclosed.

This means that the data would not accurately pinpoint when one phone number called another, but it could reveal how many times the two parties contacted each other – and the duration of the conversations – on specific days.

AT&T learned on April 19 that "a threat actor claimed to have illegally accessed AT&T call records and copied them." The company stated that it had "immediately" engaged experts and a subsequent investigation found that the hackers leaked the files between April 14 and 25.

Department of Justice Delays Public Disclosure

The company stated that the U.S. Department of Justice determined in May and June that the delay in public disclosure was justified. The FBI stated that AT&T contacted it shortly after learning of the breach, but the agency wanted to review the data for potential risks to national security.

The FBI stated in a statement: “In assessing the nature of the breach, all parties discussed the potential delay in public reporting… due to potential risks to national security and/or public safety.” "AT&T and the FBI and the Department of Justice worked collaboratively throughout the first and second delay processes, all while exchanging critical intelligence regarding threats to bolster the FBI's investigation and assist AT&T in its incident response efforts."

Sanaz Yashar, co-founder and CEO of the cybersecurity company Zavfran, told CNN: "This is extremely concerning; this information is highly valuable to cybercriminals and nation-states."

Yashar, a former Israeli cyber spy, indicated that threat actors can link cell ID data with other readily available information to pinpoint someone's place of work – including sensitive locations such as the White House and the Pentagon.

"You don't need the timestamp. If there’s someone there every day, you can understand they work there and their routine. This is extremely sensitive information and it's how spies do things.”

AT&T's shares fell by 1 percent on Friday following this news.

In the new incident, AT&T told CNN that it learned in April that customer data was illegally downloaded from its workspace on Snowflake, a third-party cloud platform.

Brad Jones, chief information security officer at Snowflake, stated to CNN in a separate statement that the company found no evidence that this activity "resulted from a security vulnerability or a misconfiguration or a breach of the Snowflake platform." Jones noted that this was verified by investigations conducted by cybersecurity experts as a third party from Mandiant and CrowdStrike.

AT&T stated that it has launched an investigation, hired cybersecurity experts, and taken steps to close the "unauthorized access point."

The company stated it is cooperating with law enforcement efforts to apprehend those responsible and understands that at least one individual has already been arrested.