Insights from my Stolen AT&T Data (or: Why I Use Signal)

On July 12th, we learned that criminals stole AT&T phone records of around 110 million customers. The stolen data included phone numbers as well as call and text records sent between May 1, 2022 and October 31, 2022, as well as January 2, 2023.

The stolen records didn’t contain the actual content of calls or texts, but what’s known as metadata–information about the calls and texts, or data about data. In this case, the stolen records identify phone numbers AT&T numbers interacted with. Some included cell site ID numbers associated with the interactions. 

I did have an AT&T account in 2022, but I’m also an avid Signal user, so I wasn’t sure how much the data would reveal about me. What could you know about me by seeing which numbers I called and texted, how often, and how long I spoke with people on the phone?

AT&T made the phone numbers of calls and texts in the downloaded data available to those affected, so I submitted a data request with my account number and case number. 

Unfortunately, the data that was stolen included aggregated counts of calls and texts and aggregated duration of calls over periods of times, and these were not included in the report. I did, however, get a list of 105 calls/texts along with dates of the first calls and texts and last calls and texts between the numbers. (My data must not have included the tower codes, as these sections were marked NA.)

With the numbers in hand, I got to work. Here is what I found.

Me, myself, and I

About a third of the records were times when I called or texted…myself. I believe these must have been me checking my voicemail. There were three additional calls/texts to a dedicated number for checking voicemail messages.

Miscellaneous businesses

Contacts in this data included my vet, three medical professionals, a landscaper, a food delivery service, a postal service, a massage therapist, a tech company, a data broker I was opting out of (ironically!), the company that provides invoicing software I use, and three calls from the place doing work on my car. While none of these are super revealing on their own (because they were pretty standard appointments), I definitely don’t love the idea of this kind of data getting in the hands of wrong people as some of it can be very revealing. For example, the specific type of medical professional who calls can be quite telling, and knowing the majority of businesses one frequents can make it pretty easy to figure out specific locations where they spend time. I can’t think of a practical way for the doctors and dentists and clinics of the world to send a reminder of an appointment (without it getting buried in an inbox), but I wish there was one. 

Old friends from far away

A tenth of the records were calls or texts to ten friends. I didn’t call anyone more than twice, probably because we switched to Signal. (In context, I communicate with probably around 50 people via Signal each month.) It is for this reason that I think it would be much more difficult to  use the people on this list to for example, get information on my whereabouts, though it wouldn’t be impossible. 

The great mystery

A fifth of the calls or texts were to or from numbers that I don’t have saved in my phone and for which nothing pops up in a search engine. Maybe they know who they are.

Probably scams

In addition to the mysteries above, there were two calls associated with scammers (at least according to various sites I found when putting the number in a search engine). I also had calls from some online wedding site in Utah (over a five-day period), a PR person on a beat I don’t cover, an injury lawyer, some rehab and wellness suite, a political organization that I would never donate to (over six days!), and five organizations that sound like nonprofits. 

All work and no play

Actually, I only found four work-related calls! Sometimes this was planning to meet up in person while I was traveling, and sometimes this is from switching to phone to take a call for whatever reason.

Subtext

I spent 15 days on Subtext, an SMS marketing and engagement platform. This actually protected my information in that nobody knows what the discussion was about or who I communicated with throughout it.

Most frivolous call

A place that does hot air balloon rides. Would’ve been nice, but it’s alway so windy! 

Most wholesome call

SARK’s Inspiration Line, which you can also call at (415) 546-3742. You can listen to the pre-recorded message and hang up or leave a message at the end. 

Bottom line

It’s certainly possible I’m missing ways in which the information from this specific leak could be more harmful, and I don’t feel great about the picture of me that could be painted by someone with access to it… or their contact list of people and places to reach out to if they wanted to learn more. However, I feel that using Signal religiously kept my most sensitive data out of reach to the threat actors behind this leak. Looking at just this swath of data would paint an incomplete picture of who I spend the most time texting or on the phone with, and I did not implicate any sources in this data.

What data Signal has

Signal is pretty cool. It’s end-to-end encrypted and attackers would have trouble getting data that Signal doesn’t have in the first place. They’d be limited to the timestamp from when I created my account and the date I last connected to Signal. To learn more about how to use SIgnal, check out the Communicate Privately With Signal page in Security Planner, and if you’re a journalist, read the piece about what journalists need to know about the AT&T breach of phone and text data by Martin Shelton on the Freedom of the Press Foundation blog.