Analysis Summary

After originally denying that the leaked data originated from them, AT&T has finally acknowledged that it is affected by a data breach that affects 73 million current and former customers.

This follows AT&T's repeated denials over the previous two weeks that their systems were compromised or that the vast amount of compromised consumer data originated from them. Although the company maintains that there is no proof of its systems being compromised, it has now acknowledged that the exposed information pertains to 73 million of its previous and present clients. The company adds that 7.6 million customers' security passcodes, which are used to protect their accounts, were also compromised.

The company issued a statement saying, “Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.”

A threat actor asserted in 2021 that they were offering for sale 73 million AT&T customers' stolen data. Names, addresses, phone numbers, social security numbers, and birth dates are all included in this data. AT&T denied at the time that they had experienced a breach or that their data was the source of the information.

In 2024, a different threat actor claimed to have exposed the vast dataset on a hacker forum, claiming it to be the same information that the previous cybercriminal had obtained. After examining the data, it was discovered that it included the same private data that was previously reported to have been taken, but not every customer's birthdate or social security information was made public in that event. Once more, AT&T refuted claims that they experienced a hack or that the data came from them.

After the data leak, more than fifty AT&T and DirectTV subscribers informed that the information was exclusive to their AT&T accounts. These clients claimed that they created DirectTV or AT&T-specific email accounts that they only used when they signed up for their services by using the disposable email feature of Gmail and Yahoo. Since it was verified that these email addresses were not utilized on any other platform, AT&T or DirectTV had to be the source of the data.

AT&T informed today that they would only provide more details about the incident in their released statement and on a new page dedicated to securing AT&T accounts. The information on maintaining account security also reveals that 7.6 million AT&T users' passcodes were hacked as part of the attack and have been reset by the company. Whether it's for receiving customer service, managing accounts at retail locations, or logging into online accounts, customers utilize these passcodes to further secure their AT&T accounts.

AT&T adds that neither call history nor personally identifiable financial information is included in the data, which looks to be from 2019 and earlier. The 73 million current and past customers will all receive notifications from the company regarding the breach and what has to be done next. Customers of AT&T can use Have I Been Pwned to find out if this incident affected their info as well.

Impact

• Exposure to Sensitive Information
• Credential Theft
• Identity Theft

Remediation

• Regularly change passwords for all accounts.
• Use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.