AT&T has acknowledged a data leak impacted 73 million of its current and former customers. News of the data leak was made public in March of this year, after a hacker using the alias ShinyHunters posted an archive of the stolen data to BreachForums, a notorious data leaks site.
AT&T said it is unclear whether the data, which appears to be from 2019 at the latest, originated from AT&T or one of its vendors. It has also not yet been made public how the data was accessed.
The information posted to BreachForums includes customers’ full names, email addresses, phone numbers, Social Security numbers, and AT&T account numbers and passcodes. In light of this, AT&T has reset all passcodes. The telecoms company has said it will be contacting those affected via email or letter, as well as providing complimentary identity theft protection and credit monitoring services if personal info was leaked.
User’s financial information or call history was not included in the leak.
How public is the AT&T data leak?
Despite AT&T saying that the data was leaked on the dark web, web security consultant and owner of HaveIBeenPwnd.com, Troy Hunt, explained to What The Tech? that the data is on the “clear web”. This means that it is on sites that can be accessed via your regular browser, giving “thousands if not tens of thousands of people” access to the data.
This means that, for the 73 million people affected by the breach, their personal information is easily accessible. Troy Hunt empathized with this struggle, noting: “We cannot go and change our date of birth, changing a social security number is an absolute nightmare. So we have to work on the fact that the data is out there and we’re never going to get it back.”
Unfortunately, as many people do not take steps to protect their sensitive information until it has been breached, this can be an arduous process. Hunt suggests using identity theft and fraud protection services—something that AT&T has offered the victims of the data breach.
Where was the AT&T data leaked from?
There is evidence on BreachForum that the data leaked in March 2024 is a repost of a leak shared in 2021. In 2021, AT&T did not confirm whether or not this data was legitimate, and denied that the data came from AT&T, saying that the data posted “d[id] not appear to have come from our systems”.
Despite this, ShinyHunters continued to make claims about the legitimacy of the data posted, saying that they “d[id]n’t care if they d[id]n’t admit”, referring to AT&T.
How to protect your personal data
As Troy Hunt said, one of the issues with data breaches is the fact that people don’t protect their data until it’s too late. We’ve all done it—most people don’t assume that their personal information will be accessed by hackers and sold to other bad actors on the internet. Unfortunately, with the rate and scale of cyber attacks, your data being leaked has become less of and if and more of a when.
Take me for example—I used Troy Hunt’s own HaveIBeenPwned.com to find out what information about me has been posted on the internet, and found out that my phone number was exposed in a data breach, and my email address has been exposed in two.
So, with this in mind, it’s important to take steps to protect your identity and data online, including:
Using multi-factor authentication—this can help prevent hackers from gaining access to your accounts, even if your email address is made public.
Not reusing passwords and resetting your passwords if they are exposed in a data breach—this means that even if your username and password is exposed, hackers cannot access any other accounts you use, and even the account that has leaked details.
Investing in identity protection, whether this is on its own or part of an internet security suite—identify protection software can scour the web for data breaches you were involved in, allowing you to take further steps to protect your identity.
