AT&T Customers Doxed Themselves En Masse In Reply-All Nightmare

AT&T customers ensnared in a reply-all hell doxed their own names and email addresses after someone discovered that external users could reply to an internal mailing list. 

According to a post on Hackers News and a follow-up video by cybersecurity researcher and educator John Hammond, it started when one AT&T customer named Alex Kelly replied to an email from the telecom that was sent to a strange address: DONOTUSEPOD1NON@list.att.com. 

"This is a test to see if external users can email AT&T's internal email list with the most recent email mishap," they wrote. Soon, the responses were rolling in from other customers who had received Kelly’s email. 

"This is going to be a long email thread…." one person replied, according to screenshots of the reply-all thread shared by a poster on Hacker News. "Wheeee!!!!" said another. One customer replied to plug their video game. The replies revealed users' names and email addresses, which were initially unredacted on Hacker News. Hammond obscured people's information in his YouTube video. 

"What's sad about this is it shows that AT&T uses a method of email management that doesn't have the ability to unsubscribe for end users—in fact, they control the distribution list and they control who gets what email," Kelly said in a pinned response under Hammond's YouTube video. 

"I was surprised that I was able to successfully send the email to that list," Kelly told Motherboard in an email. "I do wish I had included a line in the initial email which said 'Please note, if you reply to this email, everyone else will see your email', but ultimately I was shocked this worked because the fix is literally a checkbox when you create the distribution list in Exchange."

At the time of writing, it was unclear if the situation was resolved, or if there were more AT&T mailing list reply-all apocalypses occurring. Hammond reported that Kelly received a bounceback the last time they emailed the DONOTUSEPOD1NON address, but that trying other numbers in the email address resulted in "hits." Motherboard emailed the original address and a few iterations, and received no bounceback from the original address, but two bounceback responses from iterations. 

“We have corrected an issue with an email list. We apologize for the inconvenience,” an AT&T spokesperson said in an emailed statement.

The situation looks like a classic reply-all meltdown, which have occurred numerous times in the past. In most cases, they are merely entertaining for observers and frustrating for participants. Notably, the AT&T mailing list snafu didn't appear to leak the information of any customers on its own. Still, anybody replying to the thread effectively doxed themselves to other participants, albeit only their name, email, and any other information they offered in their reply. Kelly polled people in the reply-all thread and received about 100 responses at the time Hammond's video was posted, revealing that most recipients were business customers.

Kelly said the whole situation is "mostly a laugh with a slight sprinkle of 'Wait... why does AT&T have a list containing my email which I have no control over?' I get hundreds of spam emails every day—many of which completely circumvent spam filters because the bad actors are abusing things like mailing lists," he said.

As Motherboard previously reported, hackers can use multiple routes to compromise telecom subscribers, including SIM swapping—taking over a victim's cell number to break into their other accounts such as email and social media—and compromising telecoms directly. 

Update: This article was updated with comment from an AT&T spokesperson.