A breach seller has recently released the complete dataset,first hinted at by a hacker three years ago, online. It holds the personal details of approximately 73 million AT&T customers.
After a thorough examination of the complete leaked dataset, which includes personal information such as names, home addresses, phone numbers, Social Security numbers, and dates of birth, it appears that the data is indeed genuine. Several AT&T customers have verified the accuracy of their leaked customer data. However, AT&T has not yet revealed the specifics of the online exposure of its customers’ data.
Claiming to have stolen millions of AT&T customers’ data, the hacker initially released only a limited sample of the leaked records, making it challenging to confirm its legitimacy.
AT&T, the largest phone carrier in the United States, stated in 2021 that the leaked data did not seem to originate from their systems. However, they refrained from speculating on the source or validity of the data.
Troy Hunt, a security researcher and owner of a data breach notification site, recently acquired a complete copy of the leaked dataset. Using his expertise, Hunt verified the authenticity of the leaked data by reaching out to AT&T customers and confirming the accuracy of their records.
According to a blog post analyzing the data, Hunt revealed that out of the 73 million leaked records, there were 49 million unique email addresses, 44 million Social Security numbers, and customer dates of birth.
When contacted for a response, AT&T spokesperson Stephen Stokes assured Eltrys that there is no evidence of any breach in our systems. Our analysis from 2021 suggests that this online forum’s information did not originate from our systems. This forum appears to have reused the dataset multiple times.
The AT&T spokesperson failed to respond to subsequent emails from Eltrys regarding the authenticity of the reported customer data or the source of the data belonging to its customers.
According to Hunt, it is still unclear where the breach originated from. It remains uncertain whether AT&T has any knowledge of the data’s origin. Hunt suggested that the data could have come from either AT&T or a third-party processor they work with, or even from an unrelated entity.
It is evident that even after three years, the mystery breach remains unsolved, and AT&T is unable to explain how its customers’ data ended up online.
Investigating data breaches and leaks requires a significant amount of time and effort. However, AT&T should be able to offer a more comprehensive explanation regarding the public accessibility of millions of its customers’ data.
