Three years after a hacker first teased an alleged mass theft of AT&T customer data, a breach vendor this week dumped the full data set online. It contains the personal information of approximately 73 million AT&T customers.
A new analysis of the full leaked data — containing names, home addresses, phone numbers, Social Security numbers and dates of birth — shows that the data is authentic. Some AT&T customers have confirmed that their leaked customer data is accurate. However, AT&T has not yet said how its customers’ data was leaked online.
The hacker, who first claimed in August 2021 that he had stolen millions of AT&T customer data, released only a small sample of the leaked files at the time, making it difficult to verify their authenticity.
AT&T, the largest telephone company in the United States, he said in 2021 that the leaked data “does not appear to come from our systems,” but chose not to speculate on where the data came from or whether it was valid.
Troy Hunt, security researcher and owner of the data breach notification site Have I Been Pwned, recently obtained a copy of the full leaked data. Hunt concluded that the leaked data was real by asking AT&T customers if the leaked files were accurate.
In a blog post that breaks down the dataHunt said that of the 73 million leaked records, the data contained 49 million unique email addresses, 44 million social security numbers, as well as customers’ dates of birth.
When reached for comment, AT&T spokesman Stephen Stokes told TechCrunch in a statement: “We have no indication that our systems have been compromised. We determined in 2021 that the information offered in this online forum does not appear to originate from our systems. This appears to be the same data set that has been recycled several times on this forum.”
An AT&T spokesperson did not respond to TechCrunch’s follow-up emails asking if the alleged customer data was valid or where its customer data came from.
As Hunt notes, the source of the breach remains unclear. And it’s unclear whether AT&T knows where the data is coming from. Hunt said it’s plausible that the data comes from either AT&T or “a third-party processor that they use or another unrelated entity.”
What’s clear is that even three years later, we’re still no closer to solving this mystery breach, nor can AT&T say how its customers’ data ended up online.
Investigating data breaches and leaks takes time. But by now AT&T should be able to provide a better explanation for why the data of millions of its customers is online for all to see.
TechCrunch’s Lorenzo Franceschi-Bicchierai contributed reporting.
