Fresh AT&T data breach could impact 24M users, hackers claim

Attackers claim to have live access to AT&T infrastructure, which essentially allows them to bypass two-factor authentication tied to a specific phone number. The hacker attack allegedly impacts millions of AT&T users.

Malicious actors announced their latest escapade on a popular underground forum, which is used to trade in data leaks and software exploits. According to the post, someone breached the American telecommunications behemoth, planting malicious software inside its systems for weeks without detection.

We’ve reached out to AT&T and will update the article once we receive a reply.

Meanwhile, the Cybernews research team is investigating the attackers’ claims. At first, the team could not access the dark web website, storing a data sample of the supposed leak. Several other individuals complained about the same issue in the posts' comments.

However, days later the team managed to access parts of the data sample. Attackers included a post from the supposed AT&T systems. The database appears to include:

• Phone numbers
• Owners’ names
• Cities
• States
• Carrier plans
• Device types
• Registration dates
• Last activity dates
• SIM IDs
• Device IDs

“The threat actors claim to have deployed a custom malicious payload, which allowed them to have read/write access to the core systems of AT&T,” our team explained.

“According to the hackers, this access allows for SIM-swapping attacks, reading 2FA codes sent via SMS, as well as a database with ~24M AT&T customer data.”

Researchers believe that the screenshot of the supposedly accessed database appears to match the attackers' claims.

How dangerous could the AT&T data breach be?

The post’s authors claim that the database they breached is not static, meaning that the alleged attack enables attackers to modify information within AT&T’s infrastructure. If confirmed, it would be a gold mine for hackers.

The attackers' claim, in essence, is that they’ve gotten the ability to transfer the phone numbers of 24 million AT&T users to any SIM card they want. In turn, this enables SIM-swapping attacks, loved by the likes of Scattered Spider, a hacker group behind attacks on MGM and Caesars hotels in Las Vegas and the UK’s biggest retailer, Marks & Spencer.

“According to the hackers, this access allows for SIM-swapping attacks, reading 2FA codes sent via SMS, as well as a database with ~24M AT&T customer data. So far, the Cybernews research team has been unable to verify any of these claims.”

the team explained.

SIM swapping allows you to take over any communication going to a specific phone number. Think of the two-factor authentication codes you receive on your phone when attempting to log in to a protected service.

Moreover, access to a live database could allow attackers to see authentication codes in real-time, creating major cybersecurity issues for everything from social media accounts to banking.

While SIM swapping capabilities enable attackers to bypass account defenses, having a strong password may at least hamper hacker effort to quickly breach user accounts. One way to safeguard online accounts are password managers that foster better online habits by helping users monitor your online accounts

AT&T’s past incidents

Cybercrooks keep coming back to AT&T. Attackers are fully aware that the company hoards vast amounts of Americans’ data, as it is one of the world’s largest telecommunications companies, with yearly revenue exceeding $122 billion.

Earlier this year malicious actors said they got their hands on tens of millions of AT&T’s records, including tax IDs, names, and IP addresses. However, the data sample attackers provided was insufficient to confirm the hacker attack.

Have thoughts about this topic? Others do, too. Join them in the discussion.

The attackers’ claim about the supposed AT&T data breach comes during a time when the company is settling a class-action lawsuit, worth $177 million, that covers two previous incidents.

The first hacker attack happened in 2019, when attackers exposed personal details of 72 million people, while the second one happened last April when AT&T confirmed that its customer data was illegally downloaded from a third-party cloud platform. The 2024 hacker attack most likely impacted nearly all of the company’s customers.

Following a ruling from a federal judge, a settlement of $177M was reached, with $149 million dedicated for the victims of the first incident and $28 million set aside for the second. The settlement is set to start getting paid in 2026.

What is SIM swapping?

SIM swapping attacks are a form of cybercrime in which attackers convince mobile carriers to transfer the target's phone number to a SIM card controlled by malicious actors. These types of attacks often require a multi-layered approach, as cybercriminals need to have victims’ personal details and engage the mobile carrier.

Having victims' details makes the attack a lot easier, as malicious actors can provide ID information to the carrier upon request. Once the attack is successful, cybercrooks can receive calls and text messages intended for the victim.

For example, researchers believe that Noah Michael Urban, a now-jailed member of hacker group Scattered Spider, utilized SIM-swapping to break into music industry executives’ accounts, which allowed him to access unreleased content from Ariana Grande, Lil Uzi Vert, and Playboi Carti.

However, if attackers had access to a telecommunications company's live systems, they could potentially reassign phone numbers at will, eliminating the need for social engineering.

SIM swapping can lead to major financial loss for victims. Earlier this year, a California resident sued T-Mobile over a SIM swapping attack, which led to cybercriminals breaking into the victim's account and stealing over 1,500 bitcoin and roughly 60,000 bitcoin cash, which had an estimated value of $38 million at the time.

FAQ