AT&T reset passcodes for millions of customers after acknowledging a massive leak involving the data of 73 million current and former subscribers.
“Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders,” AT&T said in an update posted to its website on Saturday.
An AT&T support article said the carrier is “reaching out to all 7.6 million impacted customers and have reset their passcodes. In addition, we will be communicating with current and former account holders with compromised sensitive personal information.” AT&T said the leaked information varied by customer but included full names, email addresses, mailing addresses, phone numbers, Social Security numbers, dates of birth, AT&T account numbers, and passcodes.
AT&T’s acknowledgement of the leak described it as “AT&T data-specific fields [that] were contained in a data set released on the dark web.” But the same data appears to be on the open web as well. As security researcher Troy Hunt wrote, the data is “out there in plain sight on a public forum easily accessed by a normal web browser.”
The hacking forum has a public version accessible with any browser and a hidden service that requires a Tor network connection. Based on forum posts we viewed today, the leak seems to have appeared on both the public and Tor versions of the hacking forum on March 17 of this year. Viewing the AT&T data requires a hacking forum account and site “credits” that can be purchased or earned by posting on the forum.
We contacted AT&T today and will update this article if we get a response.
49 million email addresses
Hunt’s post on March 19 said the leaked information included a file with 73,481,539 lines of data that contained 49,102,176 unique email addresses. Another file with decrypted Social Security numbers had 43,989,217 lines, he wrote.
Hunt, who runs the “Have I Been Pwned” database that lets you check if your email was in a data breach, says the 49 million email addresses in the AT&T leak have been added to his database.
BleepingComputer covered the leak two weeks ago, writing that it is the same data involved in a 2021 incident in which a hacker shared samples of the data and attempted to sell the entire data set for $1 million. In 2021, AT&T told BleepingComputer that “the information that appeared in an Internet chat room does not appear to have come from our systems.”
AT&T maintained that position last month. “AT&T continues to tell BleepingComputer today that they still see no evidence of a breach in their systems and still believe that this data did not originate from them,” the news site’s March 17, 2024, article said.
AT&T says data may have come from itself or vendor
AT&T’s update on March 30 acknowledged that the data may have come from AT&T itself, but said it also may have come from an AT&T vendor:
AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web approximately two weeks ago. While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors. With respect to the balance of the data set, which includes personal information such as Social Security numbers, the source of the data is still being assessed.
“Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set,” the company update also said. AT&T said it “is communicating proactively with those impacted and will be offering credit monitoring at our expense where applicable.”
AT&T said the passcodes that it reset are generally four digits and are different from AT&T account passwords. The passcodes are used when calling customer support, when managing an account at a retail store, and when signing in to the AT&T website “if you’ve chosen extra security.”