AT&T resets passcodes for 7.6 million customers after data leak. What experts are saying

The hacked data seems to be from 2019 or earlier and could include customer names, email addresses, phone numbers, social security numbers, passcodes, and more.
Written by Lance Whitney, Contributor

Millions of AT&T customers may have been affected by a data leak, forcing the carrier to change their passcodes. In a notice posted on Saturday, AT&T said that data seemingly from 2019 and earlier was leaked on the dark web, impacting 7.6 million current AT&T subscribers and 65.4 million former AT&T account holders.

The scope of the leaked data found on the dark web varies from account to account. In addition to passcodes for all affected customers, it may also include full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, and AT&T account numbers. The carrier said that the dataset does not contain any personal financial information or call history.

Also: Why were millions of AT&T customers left disconnected? We have an answer

AT&T said the company sent emails or letters to all current and former subscribers who were impacted by the leak. In addition to resetting customer passcodes, the company urged customers to monitor their account activity and credit reports. To do so yourself, you can set up free fraud alerts with EquifaxExperian, and TransUnion, and review a free credit report through Freecreditreport.com.

"The severity of this data breach is significantly heightened because of the Personal Identifiable Information (PII), including full names, email addresses, mailing addresses, phone numbers, Social Security numbers, dates of birth, AT&T account numbers, and passcodes, that were part of the compromised data," Anne Cutler, a cybersecurity evangelist at Keeper Security, told ZDNET. "The immediate concern is the potential exploitation of this exposed data, which could lead to various malicious activities such as identity theft, phishing attacks, and unauthorized access to user accounts."

If you're an AT&T subscriber affected by this breach, change your passcode. To do that, go to your myAT&T profile page and sign in when prompted. Scroll to the section for "My linked accounts," select Edit for the passcode you want to change, and follow the prompts.

Cutler advises you may want to take other steps as well.

"Proactive steps individuals can and should take immediately include changing login information for their account with AT&T, getting a dark web monitoring service, monitoring or freezing their credit and practicing good cyber hygiene," Cutler said. "By using strong and unique passwords for every account, enabling MFA everywhere possible, updating software regularly, and always thinking before they click, individuals can greatly increase their personal cybersecurity."

AT&T said that its internal staff is working with outside cybersecurity experts to investigate the matter. For now, the company doesn't know whether the leaked data came from its own systems or that of one of its vendors. AT&T said the carrier hasn't found any signs of unauthorized access to its systems that may have resulted in the theft of customer data.

AT&T apparently learned about the data leak last Monday. That's when TechCrunch informed the carrier that the information discovered on the dark web contained encrypted passcodes that could be used to access subscriber accounts. A security researcher told TechCrunch that the encrypted passcodes would be easy to decrypt. TechCrunch said that it held off publishing its story until AT&T could start resetting account passcodes.

Also: Everything on how to protect your privacy and stay safe online

Should AT&T have known about the data leak sooner? In 2021, a hacker claimed to be selling a dataset that contained the personal information of 70 million subscribers, as then reported by Bleeping Computer. At the time, AT&T told Bleeping Computer that the information did not appear to come from its systems and couldn't speculate where it came from or whether it was valid.

Last month, someone published all the alleged records on a dark web forum, according to TechCrunch. A more detailed analysis of the data allowed AT&T customers to confirm that the leaked data was accurate.

"Detecting a breach is never an easy task, and most industry data supports that it takes (on average) approximately 200+ days to detect a security breach," BigID CISO Tyler Young told ZDNET. "Companies should know what data they have and, more importantly, be aware of what sensitive information, such as social security numbers and addresses, they have on file in case a breach like this occurs. It is a common misconception that only small companies without the proper resources are vulnerable to attacks."

Editorial standards