AT&T is sending information breach notifications to 51 million former and present clients, warning them that their private information was uncovered in a hacking discussion board. Nevertheless, the corporate has nonetheless not disclosed how the info was obtained.
These information breach notifications are associated to the current leak of an enormous quantity of AT&T buyer information on the Breach hacking boards that was beforehand being offered for $1 million in 2021.
When the AT&T information was first up on the market by the risk actor ShinyHunters in 2021, AT&T informed BleepingComputer that the info didn’t belong to them and that their techniques weren’t breached.
Final month, when one other risk actor often known as ‘MajorNelson’ leaked your entire dataset on the hacking discussion board, AT&T as soon as once more informed BleepingComputer that the info didn’t originate from them and their techniques weren’t breached.
After BleepingComputer confirmed that the info belonged to AT&T and DirectTV accounts and TechCrunch reported AT&T passcodes have been within the information dump, AT&T lastly confirmed that the info belonged to them.
Whereas the info leak contained the info for over 70 million folks, AT&T is now saying that it impacted a complete of 51,226,382 clients.
“The [exposed] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode,” reads the notification.
“To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier.”
BleepingComputer contacted AT&T to ask why there may be such a big distinction in impacted clients however has not heard again by the point of publication.Â
The corporate has nonetheless not disclosed how the info was stolen and why it took them virtually 5 years to verify the info belonged to them and alert clients.
Moreover, the corporate informed the Maine’s Lawyer Normal’s Workplace that they first realized of the breach on March 26, 2024, but BleepingComputer first contacted them about it on March seventeenth and it was initially on the market in 2021.
Whereas it’s doubtless too late as the info has been privately circulating for years, AT&T is providing one 12 months of id theft safety and credit score monitoring providers by way of Experian, with directions enclosed within the notices. The enrollment deadline was set to August 30, 2024, however uncovered folks ought to transfer a lot quicker to guard themselves.
Recipients are urged to remain vigilant, monitor their accounts and credit score studies for suspicious exercise, and deal with unsolicited communications with elevated warning.
For the admitted safety lapse and the large delay in verifying the info breach claims and informing affected clients accordingly, AT&T is dealing with a number of class-action lawsuits within the U.S.
Contemplating that the info was stolen in 2021, cybercriminals have had ample alternative to use the dataset and launch focused assaults towards uncovered AT&T clients.
Nevertheless, the dataset has now been leaked to the broader cybercrime neighborhood, exponentially growing the danger for former and present AT&T clients.