In a statement posted to its website, AT&T said that a recent data set released on the dark web approximately two weeks ago contained data from its customers. At this time, it's not clear whether the hackers were able to breach AT&T systems or those belonging to one of its vendors, the company added. The data obtained by the hackers contained social security numbers, email addresses, phone numbers, dates of birth, AT&T account numbers, and AT&T passcodes.
Of the 73 million people affected, 65.4 million were former AT&T customers. In the case of the 7.6 million current customers, AT&T has automatically reset their passcodes. Passcodes are four-digit codes used by AT&T customers to add an extra layer of security to their accounts, in addition to their passwords, and are presented during some operations such as calling customer service. Customers whose passcodes have been reset have been contacted by AT&T.
Furthermore, AT&T explained that the data set appeared to contain information from 2019 or earlier. In its statement, AT&T indicated that it would be taking measures to help those potentially affected, such as offering complimentary identity theft and credit monitoring services.
"Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set," the company said. "The company is communicating proactively with those impacted and will be offering credit monitoring at our expense where applicable."
Comment: So they don't know how they were hacked, nor where the vulnerability is?
AT&T will be reaching out to current and former customers whose information was included in the data breach. The company advised customers worried about account security to monitor their account activity and credit reports.
Notably, the data set involved in the breach may have been on the dark web for some time, according to Bleeping Computer. The outlet reports that in 2021, a hacker known as Shiny Hunters purported to be selling the stolen data of 73 million AT&T customers, which included names, addresses, phone numbers, and birth dates, among others. At that time, Shiny Hunters attempted to sell the data for $200,000 and incremental offers of $30,000. AT&T denied that its system had been breached in response to Bleeping Computer in 2021.
In mid-March, the hacker MajorNelson uploaded the data set obtained by Shiny Hunters once more, Bleeping Computer reported. Bleeping Computer and other cybersecurity researchers have purportedly confirmed that at least some of the customer data included in the breach is accurate.
Unlike the breach in 2021, which the original hacker Shiny Hunters attempted to sell, MajorNelson appears to have leaked the data online for free.
Comment: It's notable that the data was leaked for free; what would the motivation be? A desire to harm AT&T? The pleasure of disrupting the lives of all those people?
Back in February: US AT&T customers hit by nationwide cellular outages