AT&T has finally confirmed it is impacted by a data breach affecting 73 million current and former customers after initially denying the leaked data originated from them.
This comes after AT&T has repeatedly denied for the past two weeks that a massive trove of leaked customer data originated from them and or that their systems had been breached.
While the company continues to say there is no indication their systems were breached, it has now confirmed that the leaked data belongs to 73 million current and former customers.
“Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders,” AT&T said in a statement shared with BleepingComputer.
The company further says that the security passcodes used to secure accounts were also leaked for 7.6 million customers.
In 2021, a threat actor known as Shiny Hunters claimed to be selling the stolen data of 73 million AT&T customers. This data includes names, addresses, phone numbers, and, for many customers, social security numbers and birth dates.
At the time, AT&T denied that they suffered a breach or that the data originated from them.
Fast forward to 2024, and another threat actor leaked the massive dataset on a hacking forum, stating it was the same data stolen by Shiny Hunters.
BleepingComputer analyzed the data and determined that it contained the same sensitive information that ShinyHunters claimed was stolen. However, not every customer had their social security number or birth date exposed by the incident.
AT&T once again denied that they suffered a breach or that the data originated from them.
However, BleepingComputer has spoken to over 50 AT&T and DirectTV customers since the data was leaked, and they told us that the leaked data contains information that was only used for their AT&T accounts.
These customers stated that they used the disposable email feature of Gmail and Yahoo to create DirectTV or AT&T-specific email addresses that were only used when they signed up for their service.
These email addresses were confirmed not to be used on any other platform, indicating that the data had to have originated from DirectTV or AT&T.
Troy Hunt also confirmed similar information from customers after the data was added to the Have I Been Pwned data breach notification service.
However, after contacting AT&T numerous times with this information, the company has not responded to further emails until today.
DirectTV ultimately told BleepingComputer that we would need to contact AT&T with further questions as the data predates their spinoff, and they no longer have access to AT&T systems to confirm.
Today, AT&T told BleepingComputer that they would only share further information about the breach in their published statement and a new page on keeping AT&T accounts secure.
The page on keeping accounts secure further discloses that the passcodes for 7.6 million AT&T customers were compromised as part of the breach and have been reset by the company.
Customers use passcodes to further secure their AT&T accounts by requiring them to receive customer support, manage accounts at retail stores, or sign into their online accounts.
“It has come to our attention that a number of AT&T passcodes have been compromised,” reads the new AT&T advisory.
“We are reaching out to all 7.6M impacted customers and have reset their passcodes. In addition, we will be communicating with current and former account holders with compromised sensitive personal information.”
TechCrunch first reported on the compromised passcodes after being contacted by a researcher who said the leaked data contained encrypted passcodes for millions of users.
AT&T further says that the data appears to be from 2019 and earlier and does not contain personal financial information or call history.
The company will notify all 73 million former and current customers about the breach and the next steps they should take.
AT&T customers can also use Have I Been Pwned to determine if their data was compromised in this breach.