Telephone giant AT&T has reset millions of customer account passwords after a massive data cache containing AT&T customer records was leaked online earlier this month, TechCrunch has learned exclusively.
The U.S. telecom giant launched its mass password reset after TechCrunch informed AT&T on Monday that the leaked data contained encrypted passwords that could be used to access AT&T customer accounts.
A security researcher who analyzed the leaked data told TechCrunch that encrypted account passwords are easy to crack. TechCrunch notified AT&T of the security researcher’s findings.
In a statement released Saturday, AT&T said: “AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier, affecting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.”
“AT&T has no evidence of unauthorized access to its systems resulting in the penetration of the data set,” the statement said.
TechCrunch withheld publication of this story until AT&T could begin resetting customer account passwords. AT&T also has a post at what customers can do to keep their accounts secure.
AT&T customer account passwords are typically four-digit numbers used as an additional layer of security when accessing a customer’s account, such as by calling AT&T customer service, in retail stores, and online.
This is the first time AT&T has acknowledged that the leaked data belongs to its customers, nearly three years after a hacker claimed to have stolen 73 million AT&T customer records. AT&T has denied its systems were breached, but the source of the leak remains unclear.
AT&T said Saturday that “it is not yet known whether the data in these fields comes from AT&T or from one of its suppliers.”
In 2021, the hacker who claimed to have breached AT&T released only a small sample of files, making it difficult to verify whether the data was authentic. Earlier in March, a data vendor posted the full 73 million alleged AT&T files online to a well-known cybercrime forum, allowing for a more detailed analysis of the leaked files. AT&T customers have since confirmed that their leaked account data is accurate.
The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and social security numbers.
Security researcher Sam “Chick3nman” Croley told TechCrunch that each record in the leaked data also contains the AT&T customer’s account password in encrypted form. Croley double-checked his findings by searching for files in the leaked data with AT&T account passwords known only to him.
Croley said it was not necessary to crack the cipher to decode the password data.
Croley took all the encrypted passwords from the 73 million data set and removed every duplicate. The result was about 10,000 unique encrypted values associated with each four-digit password permutation ranging from 0000 to 9999, with a few outliers for the small number of AT&T customers with account passwords longer than four digits.
According to Croley, the insufficient randomness of the encrypted data means it is possible to guess the customer’s four-digit account password based on the surrounding information in the leaked data set.
It’s not unusual for people to set passwords – especially if they’re limited to four digits – that mean something to them. This can be the last four digits of a social security number or the person’s phone number, someone’s year of birth, or even the four digits of a house number. All of this surrounding data is found in almost every record in the leaked dataset.
By correlating encrypted account passwords with surrounding account data — such as customer birth dates, house numbers, and some Social Security numbers and phone numbers — Croley was able to reverse which encrypted values corresponded to which plaintext password.
AT&T said it will contact all 7.6 million existing customers whose passwords it is resetting, as well as current and former customers whose personal information was compromised.
