How Can My Contacts Be Stolen and Used for Spamming When They Are Only Stored on My ATT web email Account?

This is, to me, a question that must be answered by any ATT.  On their main support site they provide the following information.
 

My att.net email account is sending Spam to my contacts Some users have reported that their contacts received spam that originated from their att.net Mail account.  If you've experienced this issue, your account has likely been compromised and was used by an unauthorized third party to send spam or fraudulent emails to your contact list.  It is a strong possibility that one or more of your computers has been compromised with a virus or other malicious software, putting all your personal data at risk, including your email address and password information. AT&T Information Security Services recommends you take the following steps to recover full control of your account information: Make sure all computers on your network are clean and your network is secure Wireless Security: If you utilize a wireless-capable connection device, please ensure that the wireless connectivity is disabled if it is not being used or that security is enabled for the wireless connection. If security is not enabled anyone within range of the device can use the connection and you as the account holder will be held responsible for any activity originating from your connection. Change your Password By changing your password immediately, you can minimize the resulting risk for your att.net account. You may want to change it immediately to secure your account and again once you are sure your network is clean. For help selecting a strong password and/or safeguarding it against misuse, please review the tips posted in the password section of the Yahoo! Security Center. Other considerations: Notify contacts - Use an alternate email address or another form of contact to warn your contacts not to open anything from your compromised email address. Recommend that they use updated firewall and anti-virus protection and keep all security patches updated. They should also run an anti-virus scan. Create a new email address - If you don't mind losing your email address it's best to start fresh and create a new one. You can go here to create new AT&T sub accounts. Keep records - Your email address is linked to many of your online activities. If your ID is compromised, you don't want the bad guys asking your bank to send a new user name and password to that email account. Keep track of every activity tied to your email account, and if the account is compromised, immediately notify your bank, credit card company and any other related accounts. Put online purchases on hold - You'll want to make sure your computer is virus-free before you start entering credit card numbers for online purchases. Some malicious software enables criminals to track every key stroke a computer makes.

To me this does not answer the root cause question- how did someone get the contact list from my ATT net account.   (This assumes that your contacts are not on your computer.)  It seems that, if I run the right anti-malware programs and find nothing, then it is ATT itself that is compromised!  So… I contacted ATT and this is my dialog: 

You: I am asking this question on behalf of our entire community. Our community has been hit by spam. It seems to be originating from one person, at least the emails have the person's bellsouth email in the FROM field. The person ONLY has contacts in ATT web email; nothing on the computer. Consultant: I do apologize for the inconvenience this has caused you. I'll do my very best to help. You: So, I've read what is on the ATT/Yahoo web site regarding this. I've checked the person's computer for malware using the most advanced techniques. Nothing. So, I need to tell everyone in the community (about 500 homes, almost all ATT subscribers) how this happened and what to do. How could someone get the person's contact list? Or, perhaps is it actually a spoof, with someone else's computer having the infection. I need a good explanation other than ".change password.". Consultant: I am very sorry that this is happening. I apologize for the inconvenience that this is causing. You That doesn't "feel good" to any of your subscribers. The "change password". is a syndrome fix, not a diagnosis of the problem. Consultant: It's possible that the person might have open a spam email or replay to it that's why it had the contacts or was able to access email. You I don't understand the sentence. Let me try to rephrase it. Consultant: I mean it's possible that she did open a spam email or she may have replay to a spam email. You The person is on ATT email. The person opens a spam. NOTHING gets to the person's computer, since there is no evidence of malware on it. But person responds to the spam. That gives the spammer the person's email. Is that what you are saying? Consultant: Yes, that is correct. Here's a link on how you can recognize , avoid and report spam emails. You BUT! How did they get her contact list? Consultant: pushes page,http://www.att.com/esupport/article.jsp?sid=KB400544#fbid=8i-hEC2IzAb You: OK, I read that before I contacted you. That doesn't help diagnose this problem, it only throws a bunch of potential solutions without isolating the cause. The big question: How did they get the person's contact list? Please answer. Consultant: There are some spam email that asked for the account information and if you reply to that email , it will allow the spammer to access your email and copy all your contacts or send a spam email to your contact. You The person didn't give a password. Consultant:t The spammer have there own way on accessing your account with the information that you provide. There are some spammer that even use your email address in sending the spam email. You Here is a scenario I want to pass by you as a root cause. I want you to say that this is a likely cause and then I want you to pass it on to ATT supervisor for action. On your last note about "their own way" you mean they have a password generation routine? But that doesn't make since. Don't you shut down a email account if 3 unsuccessful attempts are made? Consultant:t I suggest that you change your password and go over the link that I gave you to recognize and avoid spam emails. Yes, email are block after three attempts , if password or email address are not entered correctly. You: OK, but here's what I think and I want you to pass to your superiors. I think the email goes to the spammer and the spammer checks Facebook. I think they get the contacts from facebook through a robot that trolls unprotected facebook accounts. Consultant: You can forward the spam email that you receive to abuse&att.net so that we can check on that and block it from our server. You So... what needs to be added to your instructions is how to avoid exposing information on facebook. A link to the instructions on facebook security provided by the facebook organization, along with some words about how that exposes their email account and what actions in the instructions the user should follow should be a top priority of ATT Consultant: Yes, I'll make sure that my supervisor will be able to review this chat session and I'll be posting a note on your account regarding this issue. Yes, I'll make sure those things are noted.

I really don’t feel comfortable with the response, because they can not describe how someone with no malware can have their contact list stolen other than to perhaps point the finger of responsibility to someone else.  Assuming the spammer/hacker has obtained the password within 3 guesses is, to me, absurd!

The most likely scenario is that the hacker got to this person’s email through another computer that had a contact list on it (not on ATT).

The only other explanation is that the person was infected with a special piece of malware that, when the person is logged on to ATT, can command ATT to download the contact list.  After the contact list is transferred through the firewall(s)! to the spammer, the infection complete removes itself, so not a trace is left. Remarkable!
 
The hacker/spammer then sends emails to everyone on that infected computer’s list, using addresses in the contact list for the from address.  So… changing your password doesn’t help at all!

Comments?