AT&T Data Breach: 73 Million Customer Records Surface on the Dark Web

On March 30, 2024, AT&T confirmed that a dataset containing personal information of approximately 73 million current and former customers had been posted on the dark web. The data included Social Security numbers, passcodes, email addresses, mailing addresses, phone numbers, and dates of birth. AT&T reset passcodes for 7.6 million active accounts and began notifying all affected individuals.

The dataset had a peculiar history. It first surfaced in 2021 when a threat actor claimed to be selling AT&T customer data. AT&T denied at the time that the data had come from its systems. Three years later, the same dataset appeared again on Breach Forums, posted for free download. This time, security researchers confirmed the data was genuine, and AT&T finally acknowledged the breach.

The Three-Year Mystery

The origins of the 73 million record dataset remain disputed. AT&T has never definitively confirmed how or when the data was originally exfiltrated. The company stated that the data "appears to be from 2019 or earlier" based on the information contained in the records.

In August 2021, a threat actor known as ShinyHunters claimed to be selling data from AT&T affecting 70 million customers. AT&T investigated at the time and stated the data did not originate from its systems. The implication was that the data might have come from a third-party vendor or data broker rather than from AT&T directly.

When the data resurfaced in March 2024, posted by a different threat actor on Breach Forums, AT&T conducted a new investigation. This time, the company acknowledged that the data was linked to AT&T customer accounts, regardless of whether it had been exfiltrated from AT&T's own systems or from a third-party source.

The three-year gap between the initial appearance and AT&T's acknowledgment raised serious questions about the company's initial investigation and its transparency with customers.

What Was Exposed

The leaked dataset contained records for approximately 73 million individuals, broken down as:

• 7.6 million current AT&T account holders
• 65.4 million former account holders

The compromised data categories included:

• Full names
• Email addresses
• Mailing addresses
• Phone numbers
• Social Security numbers
• Dates of birth
• AT&T account numbers
• AT&T passcodes (encrypted)

The exposure of encrypted passcodes was a specific concern. AT&T passcodes are four-digit numeric PINs used to authenticate customers when they call AT&T customer service or make account changes in stores. Security researchers quickly demonstrated that the encryption on the passcodes was weak and could be easily reversed, effectively exposing the passcodes in plaintext.

With a passcode in hand, an attacker could call AT&T customer service, impersonate the account holder, and make changes to the account, including porting the phone number to a new SIM card (SIM swapping). SIM swapping enables interception of SMS-based two-factor authentication codes, potentially compromising the victim's bank accounts, email, and other services.

AT&T's Response

AT&T took several immediate actions after acknowledging the breach:

Passcode resets: The company reset passcodes for all 7.6 million current account holders whose data appeared in the leak. Former customers were not affected by the passcode reset since their accounts were no longer active.

Customer notifications: AT&T began sending notification letters to all 73 million affected individuals, offering credit monitoring through Experian for one year.

Enhanced security measures: AT&T stated it had enhanced internal security practices and was working with external cybersecurity firms to investigate the breach and improve defenses.

Law enforcement coordination: The company stated it was cooperating with law enforcement investigations into the breach.

However, AT&T's response was criticized on several fronts. The one-year credit monitoring offer was viewed as insufficient for a breach involving Social Security numbers, which never expire and can be used for identity theft indefinitely. The company also faced criticism for the three-year delay in acknowledging the data's authenticity.

The SIM Swapping Threat

The exposure of AT&T passcodes created an immediate SIM swapping risk for millions of customers. SIM swapping has become one of the most damaging forms of account takeover, and telecommunications companies are the key enablers.

In a SIM swap attack:

1. The attacker contacts the carrier (AT&T) and impersonates the victim
2. Using the victim's passcode and personal information (all available in the leak), they request a SIM transfer
3. The carrier ports the victim's phone number to a SIM card controlled by the attacker
4. The attacker now receives all calls and text messages intended for the victim
5. The attacker uses intercepted SMS codes to reset passwords on the victim's bank, email, and cryptocurrency accounts

The AT&T breach provided everything needed for step 2: the passcode, full name, date of birth, Social Security number, and account number. Victims were at risk not just of losing their AT&T service but of losing access to every account that relied on their phone number for verification.

AT&T's forced passcode reset mitigated this risk for current customers who had not yet been targeted. But the window between the data's publication and the passcode reset was a period of elevated risk.

Legal and Regulatory Fallout

The breach triggered multiple legal actions:

• Class-action lawsuits were filed in federal courts across several states, alleging negligence in data protection and unreasonable delay in notification
• The FCC investigated the breach under its authority over telecommunications carrier data security
• Multiple state attorneys general opened investigations

The lawsuits particularly focused on the three-year gap between the data's first appearance and AT&T's acknowledgment. Plaintiffs argued that if AT&T had properly investigated the 2021 claim, it could have identified and notified affected customers years earlier, giving them time to protect themselves.

The FCC investigation was significant because the commission had recently updated its data breach notification rules for telecommunications carriers. The new rules imposed stricter timelines and broader notification requirements than the previous framework.

Data Retention and Former Customers

A striking aspect of the breach was that 65.4 million of the 73 million affected individuals were former AT&T customers. Their data was still retained in AT&T's systems or accessible through AT&T's data ecosystem long after they had ended their customer relationship.

This raises fundamental questions about data retention in the telecommunications industry. Carriers retain customer data for billing, regulatory compliance, and business purposes. But the retention of Social Security numbers, dates of birth, and other sensitive identifiers for tens of millions of former customers creates a massive target that persists long after the business relationship has ended.

Data minimization, the principle of retaining only the data necessary for legitimate purposes and deleting it when it is no longer needed, could have significantly reduced the impact of this breach. If former customers' Social Security numbers had been purged after a reasonable retention period, tens of millions of people would not have been affected.

How Safeguard.sh Helps

The AT&T breach highlights the risks of data sprawl, weak credential protection, and insufficient supply chain visibility. Safeguard.sh helps organizations manage these risks:

• Software and data inventory provides complete visibility into the systems that store and process sensitive customer data, identifying where personal information resides across your infrastructure and vendor ecosystem.
• Vulnerability monitoring tracks security weaknesses in your data management systems, encryption implementations, and authentication mechanisms, alerting you to issues before they become breach vectors.
• Policy enforcement defines data retention, encryption, and access control standards that must be met across your software supply chain, ensuring consistent security practices.
• Continuous assessment monitors your security posture over time, detecting drift from security baselines and flagging when systems fall out of compliance.

Seventy-three million records sat exposed for three years before AT&T acknowledged the breach. Safeguard.sh ensures you have the visibility and governance to act faster than that.