AT&T Says Data From 73 Million Customers Has Leaked Onto the Dark Web

Personal data from 73 million AT&T customers has leaked onto the dark web, reports CNN — both current and former customers.

AT&T has launched an investigation into the source of the data leak... In a news release Saturday morning, the telecommunications giant said the data was "released on the dark web approximately two weeks ago," and contains information such as account holders' Social Security numbers. ["The information varied by customer and account," AT&T said in a statement, " but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and passcode."]

"It is not yet known whether the data ... originated from AT&T or one of its vendors," the company added. "Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set."

The data seems to have been from 2019 or earlier. The leak does not appear to contain financial information or specifics about call history, according to AT&T. The company said the leak shows approximately 7.6 million current account holders and 65.4 million former account holders were affected.
CNN says the first reports of the leak came two weeks ago from a social media account claiming "the largest collection of malware source code, samples, and papers. Reached for a comment by CNN, AT&T had said at the time that "We have no indications of a compromise of our systems."

AT&T's web site now includes a special page with an FAQ — and the tagline that announces "We take cybersecurity very seriously..."

"It has come to our attention that a number of AT&T passcodes have been compromised..."

The page points out that AT&T has already reset the passcodes of "all 7.6 million impacted customers." It's only further down in the FAQ that they acknowledge that the breach "appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and 65.4 million former account holders." Our internal teams are working with external cybersecurity experts to analyze the situation... We encourage customers to remain vigilant by monitoring account activity and credit reports. You can set up free fraud alerts from nationwide credit bureaus — Equifax, Experian, and TransUnion. You can also request and review your free credit report at any time via Freecreditreport.com...

We will reach out by mail or email to individuals with compromised sensitive personal information and offering complimentary identity theft and credit monitoring services... If your information was impacted, you will be receiving an email or letter from us explaining the incident, what information was compromised, and what we are doing for you in response.

What? No Additional Fee?

[Bob_Who]

I expected them to charge me an extra fee for the data breach, and back billing to 2019 for dark web advertisements of my accounts. Thanks, AT&T

Re:

[iAmWaySmarterThanYou]

That'll be in your next billing cycle.

Correction

[Anonymous Coward]

I like how they say that it "leaked". As if it just slipped out through a small hole in a box.

No, AT&T, it did not "leak". You **ALLOWED** sensitive information to be **STOLEN** because you are incompetent and can't be bothered to handle it properly.

They didn't mention sms

[bill_farty]

Wouldn't they do that if they knew it wasn't compromised?

Just assume every database will be leaked

[Z80a]

It's probably not far off from the truth and if by miracle it don't (and its not sold purposefully as well), you don't lose as much as if you fully trusted em

Re:

[antdude]

Agreed. What are we supposed to do with our leaked data though? :(

Re:

[Z80a]

Damage control.
Make sure to never have something that can be used to ruin your entire life in a single database if possible

How it this legal?

[ebonum]

AT&T and other companies should be barred from storing this (Socials, dates of birth) information. We know they are not competent to protect it. It should be illegal for them to possess it any longer than it takes to complete the task it is required for (for instance, a credit check). After the data is no longer required, it should be deleted via an overwrite. It should never be included in nightly back-ups.

Re:How it this legal?

[iAmWaySmarterThanYou]

This is the only thing my shitty little startup companies consistently did right.

We fully understood and accepted we were a bunch of "go fast, fix later" dumb asses so we made sure to never store any important user data.

AT&T storing SSN and DoB is fucking nuts and off the charts arrogant.

Re:

[Ryanrule]

ALL personal data should only be in an ephemeral state. They should know nothing about be another than their id number for me, my phone because they control that, and whatever plan that phone gets. Thats it.

Re:

[tlhIngan]

It's because no one cares.

Imagine if business started expunging from their database information they don't need from their databases. They could advertise it as "we keep only the information we need to bill you", basically just things like an email address, password, and address and what plan you're on.

That company will likely not get much additional customers over someone who slurps up everything about you an sells it to data brokers.

Of course, one really wonders why data brokers pay for that information -

AT&T internet

[noshellswill]

I wonder if AT&T will also back-bill for  copper-wire local/router  internet service ? I use AT&T for that , but a much more reliable ( sic ' VERISON dumb-fone ) for cell and my website provider for email. AT&T has been raising rates ( from $40 -> $70 ) in recent months. Here  comes the slam.   

This Affected me. And Etsy Customer Service sucks

[GFS666]

I had several of my accounts Hacked last week and I know it was because I didn't have 2FA set for my Old Email address which has used the same password for more years than I want to admit. And I'm certain it was used for my old AT&T account. The hackers used that info to get into my webmail access to my email account and then used that to reset passwords/login info for various accounts. Luckily, all the really critical accounts already had 2FA set up by default.

And yes, I richly deserve the pain my stupidity has caused. Lesson learned and I'm being more security conscious now. Luckily, I've gotten access back to everything except two accounts (Discord and Etsy). What it also has showed me is that some organizations are FAR better at verifying/resetting hacked accounts than others. Ebay is actually quite good and flagged an attempted break in of my account so fast that nothing was affected.

Etsy customer service, on the other hand, really sucks. I was able to report almost immediately when the hacker changed my Email address/login info. Reported it and got a email back from their customer service fairly quickly. Have done an email chain with them for the last couple of days and finally figured out that the "person" responding back to me is nothing more than an automated system. No real person has actually seen my report or request. The "system" keeps sending me back a message saying that they are sending me an email to my "email address on file" requesting that "reset" my password. I sent an email back requesting that I talk to a person or chat window, explaining that, obviously, the hacker's email address is the one that they have on file, not mine. Quite irritating. If anyone knows how to get in touch with a real live person at Etsy that would be appreciated.

Re:

[Bob_Who]

If anyone knows how to get in touch with a real live person at Etsy that would be appreciated.

They've all be "SWATed" by now.

Re:

[Bob_Who]

In the course of 5 years 90% of the customers who's records were leaked are no longer customers?? 10% retention?

And 73 million customers? That's around 20% of the US population.

AT&T are really doing bad if all of this is true.

Absolutely. When you do the math, clearly most customers were there for the free cell phone, because it sure as hell ain't the network or customer service that's worth sticking around. That deal with Apple early on may account for the trend in those numbers, overall. That and the fact their customers die of old age.

My company stores social security numbers

[linuxguy]

We would strongly prefer not to store social security numbers. It is a real pain to manage security around it. However, we provide a service that allows thousands of employers to send employee payroll data to multiple parties that need it. And everybody insists on using SSNs for this purpose as it can reliably be used to identify a single individual. There is no equivalent. I've been trying to think of a way to store only encrypted data. But it has to be done in a way that does not cause massive pain

Re:

[Jarik C-Bol]

I would think that making this post would paint a huge target on your company.

Re:

[MrData]

There was a massive hack of SSNs around 10 years ago ... of the IRS !!!!! And Congress refuses to make it illegal to use a stolen SSN. Get used to it, "you will own nothing and be happy".

Something to keep in mind

[nehumanuscrede]

While AT&T does take steps to keep folks from taking massive amounts of data
( Example: USB sticks and external hard drives are disabled on all Company desk
and laptops ) it is still possible to move it if you're dedicated enough.

Couple that with the fact that the Company has moved quite a bit of support / help
desk type jobs overseas ( India and the like ) where they can pay them pennies on
the dollar and you end up with a problem.

These folks have access to internal networks as network admins in some cases

They store SSNs because

[Bitbeard]

...they want to snitch on you to credit agencies when you don't pay your bill.