AT&T confirmed the leak of 73 million records for the first time on Saturday, while resetting the stolen passcodes of 7.6 million current affected customers.
The leaked AT&T dataset was published “on the dark web” in mid-March 2024 and appears to contain data from 2019 or earlier, according to AT&T. The data theft impacts 7.6 million current AT&T account holders and 65.4 million former account holders.
A sample of what may be the same dataset was originally posted to a hacker forum on August 2021 by a threat actor attempting to sell all 73 million records, wrote security consultant and “Have I Been Pwned?” founder Troy Hunt, who noted that said forum is available on the clear web.
The telecom giant previously denied that the “recycled” data from 2021, which includes at least 49 million email addresses and 44 million Social Security numbers, came from its systems, and declined to say whether the leak contained accurate customer records.
AT&T ultimately acknowledged the leak after TechCrunch reported the findings of security researcher Sam “Chick3nman” Croley to the company, which revealed that encrypted passcodes were included in the stolen dataset. The passcodes, mostly four-digit numbers, could be easily deciphered and used to access customer accounts when combined with other information.
Croley reverse-engineered the encrypted codes to their plaintext forms without needing to crack the encryption, by using clues from other parts of the dataset such as dates of birth and Social Security numbers, according to TechCrunch. In addition to emails, DOBs, SSNs and passcodes, the dataset also includes customer names, mailing addresses and AT&T account numbers.
“If it has not, AT&T should evaluate the processes they have in place to identify exposure and remediation. From a customer perspective, they should update the passcodes, which should be done on a regular basis even if there is no breach, and lock their SIM from porting to another carrier to prevent SIM swaps,” Narayana Pappu, CEO at Zendata, a data protection company, told SC Media in an email.
AT&T will be notifying impacted customers and former customers by mail or email and has reset the passcodes of 7.6 million current account holders, according to a support page on the AT&T website. The company is working with external cybersecurity experts to further investigate the incident and said it does not currently have evidence of unauthorized access to its systems, but does not know whether the data theft originated from AT&T or one of its vendors.
How old data leaks can come back to haunt customers
While the leaked AT&T data may be at least five years old, that does not mean it cannot have an impact on current and former customers.
Any leak of names paired with SSNs and addresses puts victims at risk of fraud. AT&T recommended customers sign up for free fraud alerts through credit bureaus such as Equifax and Experian and said it will be offering credit monitoring at the company’s expense “where applicable.”
And while the affected AT&T passcodes have been reset, customers who have used the same pin number for other accounts over the years should consider changing those, as well.
One 2019 survey by Google and Harris Poll found that 65% of respondents reuse the same password for multiple accounts, 13% of which reused one password for all accounts, pointing to a high possibility that the compromised pins have also been used elsewhere.
“Current and former AT&T customers should assume they’ve already been breached and act accordingly. Proactive steps individuals can and should take immediately include changing login information for their account with AT&T, getting [a] dark web monitoring service, monitoring or freezing their credit and practicing good cyber hygiene,” Anne Cutler, cybersecurity evangelist at Keeper Security, told SC Media in an email.
Threat actors have been known to try using email and password pairs leaked from one site on other sites, leading to secondary breaches; on recent example was the leak of 6.9 million customer records from 23andMe, which were scraped from about 14,000 accounts directly accessed through “credential stuffing.” 23andMe used this fact as a defense against subsequent class action lawsuits, saying users “negligently recycled and failed to update their passwords” following previous breaches of other sites.
It's not uncommon for large stolen datasets to become publicly available years after they were originally obtained and put up for sale by a threat actor, due to the data losing its sale value over time. In his blog post, Hunt points out similar circumstances in the Dropbox and LinkedIn breaches, which occurred in 2012 but did not lead to broad distribution of the stolen data until 2016.
The 49 million unique addresses included in the AT&T leak have been added to the Have I Been Pwned? database, where customers can search their own email address to see if they were impacted.
