Hackers have reportedly been breaking into AT&T-provided email addresses, and using this access to steal large quantities of cryptocurrency, TechCrunch reports. While it’s not clear how many people have been impacted, one alleged victim claims to have lost $134,000 from a Coinbase account associated with a compromised email address. Email addresses with att.net, sbcglobal.net, and bellsouth.net domain names have all reportedly been affected.
The vulnerability revolves around mail keys, which are meant to allow users to log into AT&T email accounts via clients like Outlook or Thunderbird. Somehow, attackers appear to have found a way to generate these keys without the knowledge of the owner of an email account. Once they have access, they can request password resets from cryptocurrency exchanges like Coinbase or Gemini (along with, presumably, many other online accounts associated with the email address).
“We have updated our security controls to prevent this activity”
AT&T spokesperson Jim Kimberly confirmed to TechCrunch that the company had “identified the unauthorized creation of secure mail keys, which can be used in some cases to access an email account without needing a password.”
The tipster that alerted TechCrunch to the issue said that hackers have been able to create these mail keys because they have access to an internal AT&T system. But AT&T’s Kimberly disputes this. “There was no intrusion into any system for this exploit. The bad actors used an API access,” they said.
“We have updated our security controls to prevent this activity. As a precaution, we also proactively required a password reset on some email accounts,” Kimberly said. “This process wiped out any secure mail keys that had been created.” AT&T did not immediately respond to The Verge’s request for comment asking whether it believes the security issue has been fully resolved.
It’s not clear how long the problem may have existed, but one victim told TechCrunch that they’d been experiencing ongoing issues with their mail keys since November last year. This Reddit post (also from November) mentions a similar issue.
The incident highlights how an email account can be a single point of failure for much of a user’s online life. Access the account and you access all the connected services. In this case, those services reportedly included cryptocurrency, making potential losses even greater.