AT&T notifies 73M users of data breach from dark web

DALLAS — Personal data from about 73 million current and former AT&T account holders has been leaked on the dark web, the telecom giant said Saturday.

The Dallas-based company said the data were released onto the dark web about two weeks ago, and officials are not sure yet whether the data originated from the company or one of its vendors.

“With respect to the balance of the data set, which includes personal information such as social security numbers, the source of the data is still being assessed,” officials wrote in a news release.

AT&T officials said the company has launched an investigation with cybersecurity experts. In their initial analysis, staff found the data set appears to be from 2019 or earlier, affecting about 7.6 million current account holders and 65.4 million former account holders.

Company officials noted they don’t have evidence at this point of unauthorized access to their systems.

“The company is communicating proactively with those impacted and will be offering credit monitoring at our expense where applicable,” officials wrote.

Anyone who has been affected will get an email or letter from the company.

AT&T officials said the incident had not had a material effect on the company’s operations Saturday. Customers have received emails noting that their account passcode has been compromised and that they must reset it.

“It appears the data is from more than 4 years ago and does not contain personal financial information or call history,” AT&T wrote to customers.

In the email, the company notes the information may have included customers’ full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and passcode.

If sensitive personal information was compromised, the company said it will provide “complimentary identity theft and credit monitoring services.”

The dark web leak comes a month after the company suffered a nationwide outage in its cellular service for a day. The company blamed the outage on a coding error and not a cyber attack.

“The real issue here is the fact that basically all the personal identifiable information that you would need to basically recreate a person in the cyberspace was leaked,” said Andrew Sternke, the CEO of Southlake-based DarkBox Security Systems.

In 2021, threat actor ShinyHunters claimed to be selling data on 70 million AT&T customers. Officials with the telecom company then told the tech outlet BleepingComputer that the information did not come from them, and they could not “speculate on where it came from or whether it is valid.”

The group has claimed to target Microsoft, Wattpad and Mashable in other data breaches, tech outlets have reported.

Users on the hacking forum, BreachForums, appear to suggest the data breach is a repost of the initial leak from 2021, but AT&T officials have not confirmed the connection.

“The real question is what happened between 2021 and now?” said Brett Callow, threat analyst with New Zealand-based cybersecurity company Emsisoft.

Breaches among telecommunications companies and with third-party vendors are not uncommon, Callow said.

Last year, T-Mobile said a “bad actor” accessed personal data from 37 million customers. In 2022, the company agreed to pay $350 million to settle class-action lawsuits from a data breach disclosed in 2021 that affected a little more than 40 million people. Verizon has also suffered from data breaches in the past.

Callow said service providers for companies can hold those companies’ data and large companies, like AT&T would have a massive number of vendors working with them in various ways.

In the case of AT&T’s breach, data could potentially be used to commit identity-related fraud. The crime of hacking AT&T or its vendor could lead to many other offenses, Callow said.

Sternke said two things people should do is check their credit file — a record of their credit history — and use two-factor authentication for every one of their accounts. He also urged those who are affected to change their password and to use a password manager.

“That will help keep track of your passwords by encrypting it and then you just need to know one main password to enter into your encrypted manager, and the password manager will automatically input your password into the account that you sign it.”

Customers should “absolutely” sign up for the credit monitoring services offered, Callow said.

“Hopefully that will mitigate those risks,” Callow said. Customers may also consider putting a block on their credit, which could stop fraud from happening, he said.

“The problem with credit monitoring services is they are reactive rather than proactive – it will enable you to find you’ve been the victim of identity fraud sooner than you otherwise would,” Callow said. “But they won’t actually stop the fraud from happening necessarily.”