AT&T confirms 70M+ dataset was leaked on hacker forum – yet again

AT&T has confirmed to Cybernews the hacker posting of an alleged AT&T database leak from two weeks ago 'did' contain the sensitive information of more than 73 million customers.

This past weekend, AT&T finally decided to address the data leak that won’t go away, issuing an official statement – and a massive passcode reset for all impacted customers.

The customer data – which appears to be a repeat leak from an alleged 2021 hack that AT&T has consistently denied ever took place – was posted on the popular hacker marketplace BreachForums on March 17th.

Breached AT&T leak
AT&T dataset leak on BreachForums. Image by Cybernews.

“AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web; source is still being assessed,” the company said.

“While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors,” it said.

The company stands by its previous assessment that it has no evidence of unauthorized access or exfiltration of the dataset, which it said “appears to be from 2019 or earlier.”

Researchers at vx-underground, who reviewed the leak, confirmed that the stolen data appears legitimate.

The latest leak

The company said the passcodes of about 7.6 million current account holders and 65.4 million former account holders were compromised in the leak.

An AT&T spokesperson told Cybernews on March 18th that the company had “no indications of a compromise of our systems,” but did say they were aware it was "the same dataset that has been recycled several times on this forum.”

AT&T is referring to the popular dark marketplace BreachForums, a known online venue where cybercriminals buy, sell, and trade stolen data, hacked accounts, malware, and other nefarious items.

BreachForums user MajorNelson – responsible for the latest AT&T leak iteration – titled the post “AT&T Division Database hacked by @ShinyHunters (2021).”

According to MajorNelson, the dataset contains “73,481,539 lines,” and any encrypted values in the cache have been replaced with readable social security numbers and birthdates gathered from “other files.”

Further information appearing in the database includes full names, physical addresses, emails, and phone numbers, making it ripe for cybercriminals who specialize in identity theft.

In April 2022, Cybernews reported on what appears to be the original AT&T dataset leak, posted for sale directly by ShinyHunters on the forum for $200,000.

ShinyHunters is a notorious hacker gang first identified by security researchers in 2020. The gang has claimed several high-profile data breaches, including rival carrier T-Mobile, which compromised 40 million users just weeks before the AT&T breach.

In fact, the gang was found trying to sell the stolen user data from both carriers within days of each other on the dark markets.

Since then, ShinyHunters has been rumored to have taken over administrative duties at BreachForums after it was raided by the FBI last March.

In that sordid case carried out by the feds, the former BreachForums administrator, 21-year-old Conor Fitzpatrick from upstate New York, was sentenced this past January to 20 years of supervised release for running the site.

Meantime, in October 2022, another cybercriminal group also claimed to have hacked AT&T. The Everest ransomware gang, with possible ties to the BlackByte ransom group, posted on its dark leak site that it was selling access to the AT&T corporate network. At the time, AT&T (again) said there was no evidence its systems were hacked, but was investigating.

AT&T resets customer passcodes

AT&T said it has already reset the passcodes of its 7.6 million current account holders, who are now being notified about the leak. Former customers with “compromised sensitive personal information” are also being contacted. Passcodes, unlike passwords, typically use a numeric string to authenticate a user.

The company is advising affected customers to vigilantly monitor their accounts and credit reports, as well as to set up the free fraud alerts offered by the three major US credit bureaus.

Furthermore, free credit monitoring will be available to those impacted, AT&T stated. Customers with more questions can visit the AT&T website for further information.

AT&T reiterated that the cyber incident has not materially impacted AT&T’s operations and said it has since launched a “robust investigation” bringing in outside cybersecurity experts.

"We take cybersecurity very seriously and privacy is a fundamental commitment at AT&T," the company said.