Users' Data Target Of 'Targeted Attack' on AT&T 28
New submitter fran6gagne writes "AT&T [Monday] notified customers of an effort by hackers to collect online account information. It is not believed that the perpetrators of this attack obtained access to sensitive information." eWeek's account has a bit more detail.
(One of) My problems with AT&T... (Score:5, Interesting)
phone numbers may be enumerated (Score:4, Interesting)
It appears that they are just enumerating which phone numbers are set up with online account access. This can be done via the account setup page. The login page itself will not tell you if an account exists or doesn't exist, but the setup page will. Likely, this is a first step to later brute force passwords. Given that the username is the phone number, they can then just try and find one that has an account set up with AT&T's web site. The daily internet storm center podcast had some details about this. http://isc.sans.edu/podcastdetail.html
Re:(One of) My problems with AT&T... (Score:4, Interesting)