AT&T Says Data From 73 Million Accounts Leaked on Dark Web

The incident hasn’t had a material effect on operations, the company said. The dark web data leak appears to be from 2019 or earlier.

Bloomberg News

April 1, 2024

2 Min Read
AT&T logo on the face of a building

(Bloomberg) -- AT&T Inc. said that personal data from about 73 million current and former customers was leaked onto the dark web, prompting it to reset 7.6 million account passcodes.

The data, which included 65.4 million former customers, spilled onto the dark web about two weeks ago. Information divulged  may have included customers’ full name, email and postal address, phone number, Social Security number, date of birth, AT&T account number and passcode, the company said in an email to consumers. It apparently does not contain personal financial information or call history.

The data appears to be from 2019 or earlier, AT&T said Saturday in a statement. The source of the data is still being investigated, according to AT&T, and it’s not known whether it came from the company or a vendor.

Shares closed little changed at $17.50 after dropping nearly 3% Monday morning.

AT&T said it doesn’t have evidence of unauthorized access to its systems, and that the leak hasn’t had a material effect on its operations as of Saturday.

“The company is communicating proactively with those impacted and will be offering credit monitoring at our expense where applicable,” according to the statement.

AT&T was sued over the data breach, with a class action lawsuit filed March 30 in the US District Court for the Northern District of Texas saying the company recklessly maintained customers’ personally identifiable information and failed to take measures to secure its system.

Related:Clorox Audit Revealed Cybersecurity Flaws at Its Plants in 2020

The recent data leak comes about three years after a hacker known as ShinyHunters claimed to have stolen the personal information of about 70 million AT&T customers, according to reports from BleepingComputer at the time. AT&T denied then that it was the victim of a data breach, saying the stolen information didn’t come from its own systems. 

The hacker posted only a small sample of records in 2021, which it was selling for a starting price of $30,000, according to media reports at the time. ShinyHunters had previously taken credit for breaches against other US companies, only to post databases of stolen data after apparently failing to convince other dark web users to pay for it. 

TechCrunch earlier reported on the recent leak after a data seller published the full 73 million alleged AT&T records on a cybercrime forum. TechCrunch said it informed AT&T about the leak last week and held publication of its article until the company could begin resetting the passcodes.

AT&T is the third-largest US retail wireless carrier, behind Verizon Communications Inc. and T-Mobile US Inc., according to data compiled by Bloomberg. The company in February experienced a widespread outage that took hours to resolve, prompting an investigation by the federal government.

T-Mobile agreed in 2022 to pay $350 million to settle a class-action lawsuit after records of more than 50 million customers were leaked. The following year it revealed another major breach of customer information on about 37 million subscribers

About the Author(s)

Bloomberg News

The latest technology news from Bloomberg.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like