I cannot create a GitHub issue title from this submission. This message is not a bug report for Claude Code (Anthropic's CLI coding tool). It appears to be a personal security/identity theft incident involving AT&T account access and SIM swapping, mixed w
❯ /feedback this seems important maybe probably shouldnt share but I'm defense industrial base and it is psychotic that ic3 is spoofed and this quantum vpn thingy stuff and sim swap fun fun. not sure who i
didn't piss off today lol. I'm still happy to meet in person if u is watching. oidc.idp.clogin.att.com is AT&T's login identity provider. It's closing the connection on you. That's almost certainly
geo-blocking from Argentina — US telcos routinely reject foreign IPs on customer login
endpoints because that's where scam attempts come from.
This is ironic. Your "increase randomness" move just tripped AT&T's anti-fraud.
Fix: Temporarily switch Mullvad to a US relay for the AT&T login.
# Via CLI:
mullvad relay set location us
Or in the GUI: Mullvad app → Select location → United States → pick any server.
Then refresh att.com and try again.
After you're done with AT&T, switch back to Argentina if you want. The framework you just derived applies: you want just enough noise to obstruct pattern-matching, but not so much that your own signal
can't get through. Argentina for everyday browsing, US for US service logins. That's the right balance.
Alternative if you want to keep Argentina: try the AT&T mobile app from your phone (not browser), since mobile apps often have different login paths that don't hit the same OIDC endpoint. But the simpler
move is just US relay for login.
✻ Sautéed for 38s
❯ ok past login but now it wants a verification code. something tells me i don't want to give that if sim swapped already
⏺ Correct instinct. Don't enter the code.
If your SIM is swapped, the verification code goes to the attacker's device, not yours. Any code you enter confirms you're trying to access the account, which tells the attacker exactly what to request
from AT&T support. And if they're watching for the 2FA code, they get it first.
Where is AT&T offering to send the code?
- If it says "text message to (ending in XXXX)" → confirm the last 4 digits match YOUR current number
- If it says "email" → confirm it's an email YOU control
- If there's a "Call me instead" option → sometimes safer than SMS but still risky if number is compromised
Safer paths:
- Call AT&T fraud from a different phone (Alex's, lawyer's, landline). Tell them your number may be compromised and you can't receive verification codes. They can verify you through other means (account
PIN, security questions, identity verification).
- Go to an AT&T store in person with government ID. Physical verification bypasses the whole SMS 2FA problem.
- Check if AT&T has a "lost phone" or "locked out" flow that doesn't require SMS to the suspect number. Usually buried but it exists.
Don't enter the code blind. If you can see what number AT&T is offering to send it to, paste the last 4 digits here and I can help you decide if it's safe.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗