AT&T admits data breach, says 51 million customers are affected

News
By Sead Fadilpašić
published

Significantly down from the initial 70 million reported, but still bad news

A black AT&T sign with its logo in bright blue hanging outside a brick store
(Image credit: Getty Images)

New information regarding the 2021 AT&T breach is emerging, with the company reducing the number of affected individuals by almost a third, from the initial 70 million, down to 51 million. 

AT&T also said it has started notifying victims of the breach, and offered identity theft monitoring and protection services. 

For the uninitiated, back in 2021, privacy blog RestorePrivacy reported that a threat actor was selling a huge database of current and former AT&T customers on a dark web forum. AT&T denied that it was its database, and claimed that its systems were not breached.

Financial information not included

Fast forward to 2024, and a different threat actor leaked the entire database, prompting the same response from the telco giant. However, after multiple media publications independently verified the authenticity and source of the data, AT&T came clean. However, it still didn’t say how the hackers obtained the database.

In any case, the company revised the number of affected individuals, pinning it down to 51,226,382. Apparently, many of the people on the list had duplicate entries.

"The [exposed] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode," the company said in the breach notification. "To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier."

When asked about the difference in the number of impacted customers, AT&T told BleepingComputer the database appeared to hold many duplicates:

"We are sending a communication to each person whose sensitive personal information was included.  Some people had more than one account in the dataset, and others did not have sensitive personal information.”

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.