AT&T Data Saga: From 2021 Leak Claims to 2024 Confirmation AT&T is still untangling the fallout from a huge cache of customer data-covering about 73 million current and former account holders-that first appeared for sale in 2021 and was finally confirmed as authentic in spring 2024. The dataset contains names Social Security numbers dates of birth and four-digit account passcodes. AT&T continues to investigate whether the records came from its own environment or from a vendor but it says there is still no evidence of an internal network intrusion. — , Breach Chronology

Aug 2021 – The hacking collective ShinyHunters advertises a trove of ~70 million AT&T records on RaidForums. AT&T states it can find “no indication” its systems were compromised. 17 Mar 2024 – A user calling themselves “MajorNelson” reposts what appears to be the same data-this time as a free 70 GB download on a hacking forum. Researchers confirm live SSNs and discover the “encrypted” passcodes can be brute-mapped back to plaintext. 26 Mar 2024 – AT&T lists 26 March as its official “date of discovery” in state regulator filings . 30 Mar 2024 – AT&T acknowledges the dataset stating it affects 7.6 million current and 65.4 million former customers. All current customers’ passcodes are force-reset. 2 Apr 2024 – AT&T emails notices confirming roughly 73 million individuals were exposed. Apr 2024 → – Multiple class-action lawsuits accuse AT&T of negligence and of delaying disclosure after the 2021 listing. , —

Personal identifiers: full name date of birth Social Security number Account details: four-digit wireless passcode/PIN contact information Data vintage: most records appear to pre-date mid-2019 Because the passcodes were hashed in a way that yields only 10 000 unique outputs attackers (and researchers) could reverse them quickly-one reason AT&T reset passcodes for all 7.6 million active customers. , —

Investigation – A “robust” forensics review with external experts to determine whether the source is internal or an outside partner. Notifications – Email and postal letters to current and former customers; ongoing outreach to any additional individuals identified. Mitigation – Automatic passcode resets for current customers free credit-monitoring and identity-protection services and reminders to watch financial accounts for suspicious activity. Litigation – AT&T faces a growing stack of federal lawsuits over alleged failure to safeguard data and alleged delay in confirming the breach. AT&T says the incident has not had a material impact on its operations though reputational and legal risks remain. —

Related AT&T Security Incidents

March 2023: ~9 million wireless customers had certain CPNI exposed after a third-party marketing vendor was breached. June 2024 (separate event): AT&T disclosed that call-detail records for ~109 million lines had been scraped from a misconfigured Snowflake data environment. —

Long lag between rumor and confirmation – Data first surfaced in 2021 but AT&T validated it only after the full archive was re-leaked in 2024. Uncertain breach vector – Whether attackers penetrated AT&T directly or siphoned data from a vendor remains unresolved. Weak passcode hashing – Four-digit PINs were “encrypted” in a way that allowed trivial full reversal. Ongoing legal exposure – The 2024 acknowledgment triggered a wave of class actions and heightened scrutiny of AT&T’s data-protection practices. What customers can do: Verify that your account PIN has been reset enable multifactor authentication where available, and monitor credit reports and financial statements for anomalies.