Wednesday , April 2 2025

Hackers are breaking into AT&T email accounts to steal cryptocurrency

Unknown hackers are breaking into the accounts of people who have AT&T email addresses, and using that access to then hack into the victim’s cryptocurrency exchange’s accounts and steal their crypto, TechCrunch has learned.

At the beginning of the month, an anonymous source told TechCrunch that a gang of cybercriminals have found a way to hack into the email addresses of anyone who has an att.net, sbcglobal.net, bellsouth.net and other AT&T email addresses.

Check Point said BreachForum post old data

Israeli cybersecurity firm Check Point has responded to a hacker who claimed to have stolen valuable information from its systems....
Read More
Check Point said BreachForum post old data

Apple Warns of 3 Zero Day Vulns Actively Exploited

Apple has issued an urgent security advisory about 3 critical zero-day vulnerabilities—CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085—that are being actively exploited in...
Read More
Apple Warns of 3 Zero Day Vulns Actively Exploited

24,000 unique IP attempted to access Palo Alto GlobalProtect portals

GreyNoise has detected a sharp increase in login scanning aimed at Palo Alto Networks PAN-OS GlobalProtect portals. In the past...
Read More
24,000 unique IP attempted to access Palo Alto GlobalProtect portals

CVE-2025-1268
Patch urgently! Canon Fixes Critical Printer Driver Flaw

Canon has announced a critical security vulnerability, CVE-2025-1268, in printer drivers for its production printers, multifunction printers, and laser printers....
Read More
CVE-2025-1268  Patch urgently! Canon Fixes Critical Printer Driver Flaw

Within Minute, RamiGPT To Escalate Privilege Gaining Root Access

RamiGPT is an AI security tool that targets root accounts. Using PwnTools and OpwnAI, it quickly navigated privilege escalation scenarios...
Read More
Within Minute, RamiGPT To Escalate Privilege Gaining Root Access

Australian fintech database exposed in 27000 records

Cybersecurity researcher Jeremiah Fowler recently revealed a sensitive data exposure involving the Australian fintech company Vroom by YouX, previously known...
Read More
Australian fintech database exposed in 27000 records

Over 200 Million Info Leaked Online Allegedly Belonging to X

Safety Detectives' Cybersecurity Team found a forum post where a threat actor shared a .CSV file with over 200 million...
Read More
Over 200 Million Info Leaked Online Allegedly Belonging to X

FBI investigating cyberattack at Oracle, Bloomberg News reports

The Federal Bureau of Investigation (FBI) is probing the cyberattack at Oracle (ORCL.N), opens new tab that has led to...
Read More
FBI investigating cyberattack at Oracle, Bloomberg News reports

OpenAI Offering $100K Bounties for Critical Vulns

OpenAI has increased its maximum bug bounty payout to $100,000, up from $20,000, to encourage the discovery of critical vulnerabilities...
Read More
OpenAI Offering $100K Bounties for Critical Vulns

Splunk Alert User RCE and Data Leak Vulns

Splunk has released a security advisory about critical vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. These issues could lead...
Read More
Splunk Alert User RCE and Data Leak Vulns

According to the tipster, the hackers are able to do that because they have access to a part of AT&T’s internal network, which allows them to create mail keys for any user. Mail keys are unique credentials that AT&T email users can use to log into their accounts using email apps such as Thunderbird or Outlook, but without having to use their passwords.

With a target’s mail key, the hackers can use an email app to log into the target’s account and start resetting passwords for more lucrative services, such as cryptocurrency exchanges. At that point it’s game over for the victim, as the hackers can then reset the victim’s Coinbase or Gemini account password via email.

The tipster provided a list of alleged victims. Two of the victims replied, confirming they have been hacked.

AT&T spokesperson Jim Kimberly said that the company “identified the unauthorized creation of secure mail keys, which can be used in some cases to access an email account without needing a password.”

“We have updated our security controls to prevent this activity. As a precaution, we also proactively required a password reset on some email accounts,” the spokesperson said, forcing the account owners to reset their passwords.

AT&T declined to say how many people have been hit in this wave of hacks. “This process wiped out any secure mail keys that had been created,” the spokesperson added.

One victim told TechCrunch that hackers stole $134,000 from his Coinbase account. The second victim said that “it has been happening repeatedly since November 2022 — probably 10 times at this point. I notice it has been done when my Outlook client fails to ‘connect’ and I quickly login to my [AT&T] site and delete their key and create a new one.”

“Very frustrating because it is obvious that the ‘hackers’ have direct access to the database or files containing these customer Outlook keys, and the hackers don’t need to know the user’s AT&T website login to access and change these outlook login keys,” the victim added.

“Hello, my email was compromised back in March of this year and I have done everything I can to reset password, security questions, etc but occasionally I’m still getting emails that a secure mail key has been created on my account without my knowledge,” one user wrote. “They would even delete the email notification so I don’t see it but I recently changed to another email for profile updates so they don’t have access. This sounds like someone still has access to my account but how?”

Another person wrote: “I’ve had the same issue for months and just started again, password wasn’t changed but account locked out and a Mail Key keeps being created somehow.”

The tipster claims that the hackers can “reset any” AT&T email account, and that they have made between $15 and $20 million in stolen crypto. (TechCrunch could not independently verify the tipster’s claim.)

TechCrunch has seen a screenshot apparently coming from a Telegram group chat, where one of the hackers claims that the gang “have the entire AT&T employee database,” which allows them to access an internal AT&T portal for employees called OPUS.

“Only thing we are missing is a certificate, which is the last key to accessing the [AT&T] VPN servers,” the hacker wrote in the Telegram channel, according to the screenshot.

The tipster said that the gang now has access to AT&T’s internal VPN.

Kimberly, the AT&T’s spokesperson, denied that the hackers had any access to internal company systems. “There was no intrusion into any system for this exploit. The bad actors used an API access.”

Check Also

FBI

FBI investigating cyberattack at Oracle, Bloomberg News reports

The Federal Bureau of Investigation (FBI) is probing the cyberattack at Oracle (ORCL.N), opens new …

Leave a Reply

Your email address will not be published. Required fields are marked *