AT&T Says Leaked Data of 70 Million People Is Not From Its Systems

An anonymous reader quotes a report from BleepingComputer: AT&T says a massive trove of data impacting 71 million people did not originate from its systems after a hacker leaked it on a cybercrime forum and claimed it was stolen in a 2021 breach of the company. While BleepingComputer has not been able to confirm the legitimacy of all the data in the database, we have confirmed some of the entries are accurate, including those whose data is not publicly accessible for scraping. The data is from an alleged 2021 AT&T data breach that a threat actor known as ShinyHunters attempted to sell on the RaidForums data theft forum for a starting price of $200,000 and incremental offers of $30,000. The hacker stated they would sell it immediately for $1 million.

AT&T told BleepingComputer then that the data did not originate from them and that its systems were not breached. "Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems," AT&T told BleepingComputer in 2021. When we told ShinyHunters that AT&T said the data did not originate from them, they replied, "I don't care if they don't admit. I'm just selling." AT&T continues to tell BleepingComputer today that they still see no evidence of a breach in their systems and still believe that this data did not originate from them.

Today, another threat actor known as MajorNelson leaked data from this alleged 2021 data breach for free on a hacking forum, claiming it was the data ShinyHunters attempted to sell in 2021. This data includes names, addresses, mobile phone numbers, encrypted date of birth, encrypted social security numbers, and other internal information. However, the threat actors have decrypted the birth dates and social security numbers and added them to another file in the leak, making those also accessible. BleepingComputer has reviewed the data, and while we cannot confirm that all 73 million lines are accurate, we verified some of the data contains correct information, including social security numbers, addresses, dates of birth, and phone numbers. Furthermore, other cybersecurity researchers, such as Dark Web Informer, who first told BleepingComputer about the leaked data, and VX-Underground have also confirmed some of the data to be accurate. Despite AT&T's statement, BleepingComputer says if you were an AT&T customer before and through 2021, it's "[safe] to assume that your data was exposed and can be used in targeted attacks."

Have I Been Pwned's Troy Hunt writes: "I have proven, with sufficient confidence, that the data is real and the impact is significant."

For once it's not T-Mobile

[satsuke]

Hey, for once its not T-Mobile getting breached.

And yeah, saying it didn't come from their system but it entirely contains data from their systems doesn't add up.

That's like trying to say you didn't kill someone because the guy you hired to do it killed them.

Or the CEO didn't _directly_ commit fraud when they told the CFO to cook the books.

Re:For once it's not T-Mobile

[Voyager529]

And yeah, saying it didn't come from their system but it entirely contains data from their systems doesn't add up.

Assuming this statement is demonstrably accurate, the most likely scenario is that there was some 'trusted partner' to whom AT&T sold a bunch of data, and it was that 'trusted partner' who then got hacked and had the data dump exfil'd.

Re:

[war4peace]

Disgruntled employee(s) with access to that data?

Re:

[YuppieScum]

Or it could be that they outsourced some development work and included an unsanitized db dump for testing... which means that they'd actually have paid to have the data leaked.

Re:

[CAIMLAS]

So what AT&T did then was not only criminally negligent, it was overtly and intentionally illegal.

Re:

[mysidia]

most likely scenario is that there was some 'trusted partner' to whom AT&T sold a bunch of data

Oh.. so if they sold it. In other words the data Originated from a sale of data by ATT.

If that's the case then based on what the article says BleepingComputer was told a lie:
told BleepingComputer then that the data did not originate from them

The truth would be that it Originated from ATT but was released by a 3rd party ATT sold access to without authorization.

Re:

[jenningsthecat]

The truth would be that it Originated from ATT but was released by a 3rd party ATT sold access to without authorization.

Came to say exactly this. The data was AT&T's responsibility. It doesn't matter whether it was stolen from their servers, from a third party's servers, or telepathically by the Flying Spaghetti Monster - it still happened to their data, on their watch, and it's their customers who are getting screwed.

If the system was fair and laws were as they should be, AT&T should be worried about going bankrupt via government fines and successful lawsuits. Instead, it's merely a "too bad, so sad, oh well" moment

"Your rectal scans are safe here at Hallmark."

[Pseudonymous Powers]

Why, in 2024, do private companies still store your social security number? Why are those and other companies still asking for it?

Re:

[crunchy_one]

Sure you can have my social security number, it's 123-45-6789. Want my phone number, but of course, it's 1-212-555-1212. You're welcome!

Re:

[antdude]

And why do some want credit reports like Frontier when ordering its fiber service?

cell service since the 90s

[awwshit]

I've had AT&T cell service since the 90s. Never used any other AT&T service. Used the same email on my account the whole time. I seem to have avoided being on this list.

As a non-American, my first question is

[entranced]

Why does AT&T have and need customer SSNs in the first place?

Re:

[nightflameauto]

Why does AT&T have and need customer SSNs in the first place?

Blah blah blah tax code blah blah blah identity blah blah blah gimme all your data, we heard we could monetize it.

Re:

[mysidia]

The Tax code doesn't require ATT have your SSN to file any tax forms, unless they are Paying money to you.

Last I checked the Phone company only ever Sends me bills and I pay them.

They never ever ever pay me... unless it's a Refund or a $5 credit for a service outage, which is not taxable and does Not get reported on any tax forms.

Re:

[drinkypoo]

Non-prepay customers are applying for credit when they get cell phone service, and this requires your SSN.

Re:

[schneidafunk]

Good point, I have never given my SSN out to a phone company. Has anyone else?

Re:

[Anonymous Coward]

You can't get T-Mobile5G home internet without providing your SSN (despite the fact that they've had multiple breaches themselves) ... otherwise I'd have switched to it long ago.

Re:

[gkelley]

I have AT&T and did not provide my SSN nor was I asked for it.

Re:

[Tony Isaac]

Your question is legitimate, and adds to the credibility of AT&T's claim that the data isn't from them. I'm an AT&T customer who signed up for one of their cell plans just a year ago. I never gave them a SSN, and I wouldn't expect most customers would have been asked for it.

Re:

[sacdelta]

AT&T has more than cell service, and some of those services have separate record systems. Over the years I have used AT&T for cell, tv and internet. For each one, I had a unique e-mail that only that service was provided. The e-mails I used for tv and internet showed up in the breach, the one for cell service did not.

As far as SSNs, they used to use them to verify credit worthiness. They may not use that method anymore.

Re:

[bill_mcgonigle]

They claim you are applying for credit on a postpaid account.

Re:

[matthiashj]

Or more importantly, why is USA built around the concept that the SSN is sensitive and secret information?

"It wasn't us, it was a

[Tablizer]

...different slimebag; one we share our data with."

Nice try, AT&T, right up there with, "But mom, I didn't put the cat in the dryer, I simply held the door open so Maggy could do it!"