AT&T Paid 0,000 to Hacker For Deleting Stolen Records

AT&T reportedly paid a hacker approximately $370,000 to delete stolen customer data. The payment was made to ensure the erasure of call and text records that had been illicitly obtained during a series of cyber intrusions earlier this year.

The hacker, associated with the notorious ShinyHunters hacking group, initially demanded $1 million but settled for the lower amount after negotiations. The transaction, which took place in May, was facilitated through Bitcoin, and the deletion of the data was verified through a video demonstration provided by the hacker.

The breach occurred between April 14 and April 25, 2024, and involved unauthorized access to AT&T’s workspace on a third-party cloud platform. The compromised data includes records of customer call and text interactions from May 1 to October 31, 2022, and some records from January 2, 2023.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

The data breach exposed call and text metadata belonging to AT&T customers, including phone numbers, communication dates, and call durations.

It’s important to note that the breach did not reveal the content of the calls or messages, and it didn’t include subscriber names. However, certain records contained cell site IDs, which might potentially disclose user locations.

Negotiations and Payment

A security researcher using the pseudonym Reddington mediated the negotiations between AT&T and the hacker. Reddington, who also received compensation from AT&T for his role, expressed confidence that the sole comprehensive version of the data was eliminated. However, he cautioned that fragments of the data might still exist elsewhere.

The hacker demonstrated the deletion of the stolen data from a shared cloud server, which was used by the hacker and another individual, presumably Binns. The payment was verified through blockchain tracking tools, reads the WIRED report.

Despite the payment and the apparent deletion of the data, residual risks persist for AT&T customers. Other entities may still retain unrecovered data samples, posing ongoing security threats. The FBI and other security agencies are involved in assessing the extent of the breach and its potential repercussions.

The disclosure of the breach was delayed due to potential national security implications. The Department of Justice granted AT&T exemptions to postpone public notification, allowing time for the FBI to conduct a thorough assessment.

AT&T’s decision to pay the ransom underscores the problematic choices companies face when dealing with sophisticated cyber threats.


This is a concerning update from AT&T, and the reports it paid criminals highlights the perilous position businesses find themselves in when their data ends up in the hands of hackers, Kevin Robertson, COO of Acumen Cyber, told Cyber Security News.

Even the massive enterprises see no other option than to pay criminals; it’s not just the small businesses that have to make these dangerous decisions.

But, even despite this, paying criminals to delete data is always inadvisable. There are absolutely no guarantees they will stick to their word, so this doesn’t mean AT&T customers are now in the clear.

The data compromised could be used to carry out fraud, so anyone who receives a breach notification, must use caution online.

More positively, Snowflake has just recently announced an update to its platform where admins can now make MFA for their users. This will provide a significant security boost against incidents like these in the future.” 

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.