Reported by KIM ZETTER

US telecom giant AT&T, which disclosed Friday that hackers had stolen the call records for tens of millions of its customers, paid a member of the hacking team more than $300,000 to delete the data and provide a video demonstrating proof of deletion.

The hacker, who is part of the notorious ShinyHunters hacking group that has stolen data from a number of victims through unsecured Snowflake cloud storage accounts, tells WIRED that AT&T paid the ransom in May. He provided the address for the cryptocurrency wallet that sent the currency to him, as well as the address that received it. WIRED confirmed, through an online blockchain tracking tool, that a payment transaction occurred on May 17 in the amount of 5.7 bitcoin. Chris Janczewski, head of global investigations for crypto-tracing firm TRM Labs, also confirmed using the company’s own tracking tool that a transaction occurred in the amount of about 5.72 bitcon (the equivalent of $373,646 at the time of the transaction), and that the money was then laundered through several cryptocurrency exchanges and wallets, but said there was no indication of who controlled the wallets.

A security researcher who asked to be identified only by his online handle, Reddington, also confirmed that a payment occurred. The hacker enlisted him to serve as the go-between for their negotiation with AT&T, and Reddington received a fee from AT&T for serving in that capacity. Reddington provided WIRED with proof of the fee payment. The hacker initially demanded $1 million from AT&T but ultimately agreed to a third of that.

WIRED viewed the video that the hacker says he provided to AT&T as proof to the telecom that he had deleted its stolen data from his computer. AT&T did not respond to WIRED’s request for comment.

It was indirectly through Reddington that AT&T learned about the data theft three months ago.

Reddington tells WIRED that in mid-April, an American hacker living in Turkey and believed to be John Erin Binns—not the hacker who received payment—contacted him to say that he had obtained Reddington’s AT&T call logs. After Reddington verified that the call logs were real, Binns allegedly told Reddington that he had also obtained call and texting logs of millions of other AT&T customers through a poorly secured cloud storage account hosted by Snowflake. Reddington notified the security firm Mandiant about the breach, and Mandiant then notified AT&T. In a regulatory filing it made to the Securities and Exchange Commission on Friday, AT&T said that it first learned of the breach in April.

Reddington says he believes the entire AT&T dataset that Binns allegedly stole was deleted because the hacker and Binns stored the data in a cloud server that they both could access, and he says the hacker deleted it from that server.

AT&T is one of more than 150 companies that are believed to have had data stolen from poorly secured Snowflake accounts during a hacking spree that unfolded throughout April and May. It’s been previously reported that the accounts were not secured with multi-factor authentication, so after the hackers obtained usernames and passwords for the accounts, and in some cases authorization tokens, they were able to access the storage accounts of companies and siphon their data. Ticketmaster, the banking firm Santander, LendingTree, and Advance Auto Parts were all among the victims publicly identified to date.

Read full report: https://www.wired.com/story/atandt-paid-hacker-300000-to-delete-stolen-call-records/