Personal information belonging to millions of past and present AT&T data breach customers has been leaked online, including Social Security numbers (SSNs), passcodes and contact details, the multinational company says.
In a statement on Saturday, the telecommunication network – the largest in the United States – said a recently discovered dataset on the “dark web” contained information for about 7.6 million current AT&T account holders and 65.4 million former users, totalling about 73 million affected accounts.
It is not known if the AT&T data breach “originated from AT&T or one of its vendors”, the company said.
“To the best of our knowledge, the compromised data appears to be from 2019 or earlier and does not contain personal financial information or call history,” the statement added.
All 7.6 million existing account holders whose sensitive personal information was compromised were set to be notified about the breach AT&T. The company said it had already reset passcodes and was investigating the incident.
In addition to passcodes and SSNs, the hacked data possibly included email and mailing addresses, phone numbers and birth dates, AT&T data breach
Reports of the breach first surfaced on a hacking forum nearly two weeks ago. It is unclear if the leak is linked to a similar breach in 2021 that was widely reported but that AT&T did not acknowledge.
A hacker at the time claimed to have access to data of 70 million AT&T customers, including their names, addresses, phone numbers, SSNs, and date of birth.
Auction data on a hacking forum revealed the hacker attempted to sell the stolen information for thousands of dollars.
“If they assess this and they made the wrong call on it, and we’ve had a course of years pass without them being able to notify impacted customers” then it’s likely the company will soon face class action lawsuits, cybersecurity expert Troy Hunt told The Associated Press news agency.
Troy, the creator of Have I Been Pwned? – a website that alerts subscribers to data breaches – said in a blogpost at least 153,000 of his customers were affected.
The Dallas-based company faced challenges earlier in February after an outage temporarily knocked out mobile phone service for thousands of users.
AT&T blamed the incident on a technical coding error, not a malicious attack. Other networks were also affected, but AT&T appeared to be the hardest hit.
Personal data belonging to 73 million current or former AT&T customers has been leaked online.
Information including addresses, social security numbers and passcodes was published on the dark web, the US telecoms giant said.
AT&T said it had not identified evidence indicating the data had been stolen but had brought in cybersecurity experts to investigate.
The company said it had reset customers’ passcodes.
They were urged by the company to “remain vigilant by monitoring account activity and credit reports”.
The data involved in the breach appears to be from 2019 or earlier and is linked to 7.6 million customers and 65.4 former account holders.
It also includes information such as full names, email addresses and dates of birth, though AT&T said financial information had not appeared in the leak.
The company said in a statement that it was unclear whether the data had originated from its own systems or via a third-party supplier.
AT&T’s wireless 5G network covers around 290 million people across the US and the company is one of the country’s largest mobile and internet services providers.
In February, a major outage impacted tens of thousands of phone users, which prompted an apology from the firm and an offer of $5 credit for those affected.
Prosecutors in New York launched an investigation into that episode, which left people unable to use their phones for around 12 hour.