AT&T admits massive 70M+ mid-March customer data dump is real though old
Still claims the personal info wasn't stolen from its systems
AT&T confirmed over the weekend that more than 73 million records of its current and former customers dumped on the dark web in mid-March do indeed describe its subscribers, though it still denies the data came direct from its systems.
The telco giant said in a press release on Saturday that the personal info that appeared on a cybercrime forum as a free download last month was genuine, and included information on 7.6 million current AT&T customers as well as 65.4 million former users. The largest data trove appears to be from 2019 or earlier based on initial investigations, AT&T said.
What's frustrating about this whole affair is that AT&T has repeatedly indicated the leaked info on its subscribers didn't come direct from its systems, though the details are or were accurate. So it must have all come from somewhere.
"It is not yet known whether the data in those fields originated from AT&T or one of its vendors," the carrier giant noted in its statement. "Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set."
The information included in the dump varies per customer, AT&T said on a support page for the incident, and may include full name, email and mailing address, phone number, SSN, birth date and AT&T account number and passcode, the latter being that four-digit identity verification number you always forget when talking to customer support.
While AT&T is withholding judgement on where the data came from, it appears to align with a massive set of AT&T customer data that was offered for sale on the dark web in 2021.
- AT&T blames marketing bods for exposing 9M accounts
- Americans wake to widespread AT&T cellular outages
- T-Mobile US exposes some customer data – but don't call it a breach
- US govt pays AT&T to let cops search Americans' phone records – 'usually' without a warrant
Cybercrime gang ShinyHunters claimed in mid-2021 to have data belonging to some 70 million AT&T customers that it was offering for sale for the tidy sum of $1 million, according to RestorePrivacy, which viewed the dataset. RestorePrivacy also spoke to members of ShinyHunters, who said the data belonged to US-based AT&T customers, but wouldn't reveal how they obtained it.
AT&T denied that the data belonged to it in 2021, and it's not immediately clear whether both sets of data are the same. That said, there are plenty of similarities, both in the volume of records included and the items included in the set. In other words, there is a load of information out there about millions of AT&T customers but no one's saying exactly how those records were collected.
AT&T claimed in March that the dataset in question may have been "the same dataset that has been recycled several times" on the forum where it was uploaded, but it's not clear whether that's the case. If it's a different set of actual customer records then that just opens a whole other can of worms. In any case, personal info is out there.
We've reached out to AT&T with questions and will update this story if we hear back. ®