AT&T Notifying Customers About Massive Data Leak

[MacRumors]

AT&T this week is letting customers and former customers know about a major data leak, and it is sending out emails and resetting passcodes to prevent unauthorized account access.

7.6 million customers and 65.4 million former customers have had their passcodes stolen and have had sensitive data leaked. AT&T claims that there was no unauthorized access to its systems resulting in the theft of the data set, with the information obtained several years ago.

Back in 2021, a hacking group said that it had stolen information on 70 million AT&T customers. AT&T at the time said that it had not suffered a breach, and the company still insists that the data did not come from its systems. Customer information leaked includes names, addresses, birth dates, AT&T account numbers, phone numbers, email addresses, and social security numbers, along with passcodes.

The data was not made public until March 2024, but now that it is out in the wild, AT&T has initiated passcode resets and says that it is working with external cybersecurity experts to further analyze the situation.

The company says leaked data does not include financial information or call history, and it will be providing complimentary identity theft and credit monitoring services for those who had their personal information compromised.

AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web. While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors.

With respect to the balance of the data set, which includes personal information such as social security numbers, the source of the data is still being assessed. Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and 65.4 million former account holders. Currently, AT&T does not have evidence of unauthorized access to its systems resulting in theft of the data set.

Impacted current and former customers will be receiving a letter or an email from AT&T.

Article Link: AT&T Notifying Customers About Massive Data Leak

 

[Think|Different]

It's becoming a tale as old as time – with the same amount of repercussions. Sad.

 

[Chuckeee]

Name, birthdate, social security number and addresses. Is all ID thieves need. AT&T passcode is such a minor concern in comparison. People will need to freeze their credit reports and closely monitor their credit

The issue is AT&T did not do anything until the data appear in the wild. That is deplorable.

 

[Unity451]

Glad I dropped AT&T a long time ago.

 

[Surf760]

As someone who had approximately 5 phones "added" to my account almost at that exact time... things are making a lot more sense.

 

[larrylaffer]

Glad I dropped AT&T a long time ago.

The problem is the data likely includes previous customers as well

 

[kenbewick]

maybe AT&T will issue a $5.00 credit for us like they did with the 1 day outage... They should been required to notify everyone way earlier than this. Thankfully my ID has a credit lock and freeze on them. Agree the passcode isn't a huge issue compared to the other data.

 

[mantan]

Glad I dropped AT&T a long time ago.

Whoever you have now is just a likely a target for a data hack down the road.

 

[BruiserB]

Wonder if this only relates to ATT's cellular division or if it also relates to things like DirecTV and DirecTVstream (which was known as ATT TV Now for a while?

 

[antiprotest]

Glad I dropped AT&T a long time ago.

It's not only an att problem. All of them have leaked and will keep leaking. Going to another carrier will only give your data to yet another company to leak meanwhile, as this leak shows, the old company will continue to leak your data.

 

[ctklein]

I wonder if this is why I had to fight to get a collections account removed from my credit report bc someone used my social and info to get ATT U Verse....

 

[Chuckeee]

Glad I dropped AT&T a long time ago.

The concern is if AT&T ever had you data, it is probably part of this data breech. It doesn’t matter if you’re a current customer. Data associated with 65.4 million former customers were released in this data breach.

 

[3530025]

The issue is AT&T did not do anything until the data appear in the wild. That is deplorable.

To be fair - company usually don’t know (at all) their data leaked until they appear in the wild. That’s a fact.

I know it‘s more cool to bash corporate for not imforming about older data leak sooner - but it really usually goes unnoticed. And if the company finds the hole and patch it, they usually assume it was not used and no data leaked.

The IDS is usually non-existent or not good enough to catch data leak before it appears in the wild.

tl;dr AT&T probably did not know before it appeared in the wild. And it’s not unusual. It’s rather common in such situations.

EDIT: My bad. The article states, AT&T was informed back in the 2021:

Back in 2021, a hacking group said that it had stolen information on 70 million AT&T customers. AT&T at the time said that it had not suffered a breach, and the company still insists that the data did not come from its systems.

 

[jz0309]

this just plain sucks, something in our legal system needs to change ...
For many year now, every morning, first thing, I check all my bank accounts as well as credit karma for any unusual activities, might take me 5 minutes but worth it to me

 

[spartan1967]

There should be a law preventing these carriers from requiring checking account info. to pay your bill so you don’t have to incur a fee. It’s just a matter of time before all of these big companies are hacked. The less relevant information available the better.

 

[oneMadRssn]

The issue is AT&T did not do anything until the data appear in the wild. That is deplorable.

This is the main issue. There are state laws that require notice when they know or have reason to know of a data breach. Some states set a time limit, usually a number of days. How is AT&T not being sued by state AGs right now for violating these laws? Or possibly even worse, does violating these laws open AT&T up to personal liability for downstream effects of the breach?

 

[jz0309]

Back in 2021, a hacking group said that it had stolen information on 70 million AT&T customers. AT&T at the time said that it had not suffered a breach, and the company still insists that the data did not come from its systems.

To be fair - company usually don’t know (at all) their data leaked until they appear in the wild. That’s a fact.

did you read this part?
and if they still claim its not from their systems - who the hell are they providing this kind of data to?????

 

[alexandr]

Any AT&T customers here who were judgmental and sarcastic af when T-Mobile had a leak care to share any thoughts?..

 

[icanhazmac]

So a few things come to mind...

1) Being able to say "wasn't us" or "wasn't our fault" with no proof of either it just plain wrong, the data must have come from either AT&T or an advertising partner.
1a) If it was one of your "partners" you shared sold user information with to, then indeed you should be liable. Data sharing should be opt-in, not opt-out. Most opt-out screens clearly state that you cannot opt out of all sharing.
2) Customers will get a measly 1 year of credit monitoring. If it is proven this is AT&Ts, or a partners fault, then customers should get a lifetime of monitoring/protection for a breech that extensive.
3) Please, lets welcome alt-stores with bargain basement payment processors into our iOS lives, surely nothing bad will happen.
4) Something like this should result in the CEO, CIO being immediately terminated along with anyone that was involved in sharing data like that with "partners". Then criminal proceedings should commence looking for gross negligence.

 

[Chuckeee]

To be fair - company usually don’t know (at all) their data leaked until they appear in the wild. That’s a fact.

But the article stated that the hackers announced they hacked the data in 2021. AT&T just denied it happened until the data appeared in the wild in March 2024. So AT&T did know about this data breach for 3 years

 

[noannualfee]

Man, this brought back old memories of AT&T when they bought out Cingular.

 

[3530025]

did you read this part?
and if they still claim its not from their systems - who the hell are they providing this kind of data to?????

But the article stated that the hackers announced they hacked the data in 2021. AT&T just denied it happened until the data appeared in the wild in March 2024. So AT&T did know about this data breach for 3 years

My bad. Yeah, that’s a sad story if it comes from that leak. Denial is quite dumb in such situation.

 

[coachgq]

Glad I dropped AT&T a long time ago.

If you went with TMo, you’ve already dealt with this. If you’re with Verizon, I’m sure the time is coming.

 

[RickG]

Just when I thought I couldn't think any less of ATT....

 

[Chuckeee]

Why does a phone company need your social security number?