AT&T, one of the largest telecommunications companies in the United States, has finally confirmed that they experienced a significant data breach affecting approximately 73 million current and former customers. The breach involved the leak of customer data, including personally identifiable information (PII) such as names, addresses, phone numbers, Social Security numbers, and account passcodes.
In a statement, the company said “AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web approximately two weeks ago. While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors. With respect to the balance of the data set, which includes personal information such as social security numbers, the source of the data is still being assessed.”
The compromised data was found on the dark web and was made available for sale on a hacking forum by a threat actor known as ‘MajorNelson’ in March this year, however, this is not the first time a threat actor has stated they possessed the data set. In 2021, threat actor ‘ShinyHunters’ first listed the data for sale. At the time, AT&T rigorously denied the data belonged to them and that their systems had not been breached.
AT&T breach: Timeline of events
March 2021: A hacker claimed to be selling a dataset containing the personal information of 70 million AT&T subscribers. AT&T denied any breach and questioned the validity of the data.
March 17, 2024: The leaked data resurfaces on the dark web, available for sale on hacker forums.
March 26, 2024: Security researcher alerts AT&T about the ease of deciphering encrypted account passcodes found in the leaked data.
March 30, 2024: AT&T confirms the authenticity of the leaked customer records and resets affected account passcodes.
April 11, 2024: AT&T sends email notifications to over 70 million affected customers and offers one year free identity theft protection with Experian, causing a massive traffic spike on the company’s website.
Although AT&T has not confirmed the dataset offered on both occasions is one-and-the-same, they have identified that it is older data, stating: “Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.” The exact method of the data breach is still unknown. AT&T has not disclosed the source of the leak or how the information was compromised.
The data breach has had a significant impact on both AT&T and its customers. Despite being 5 years old, the data leak still represents a threat to affected customers, as it can be used to impersonate them, commit fraud, or gain unauthorized access to their accounts.
AT&T has taken action to address the data breach and protect its customers. The company has reset account passcodes for affected customers and is offering one year of free identity theft protection. AT&T is also working with cybersecurity experts to investigate the breach and identify the source of the leak.
The company faces a tough uphill battle over the coming months as it seeks to calm concerned customers and defend itself against multiple class-action lawsuits in the U.S. as a result of the security lapse and delay in verifying the breach.
Taking preventative action
To proactively hunt for potential threats related to the AT&T data breach, the following actions can be taken:
· Monitor dark web marketplaces and hacker forums for any mentions or sales of AT&T customer data.
· Conduct OSINT (Open-Source Intelligence) investigations to identify any threat actors or groups involved in the data breach.
· Analyze network logs and traffic patterns to detect any suspicious activities or anomalies that could indicate further compromise.
· Collaborate with law enforcement agencies and industry partners to share threat intelligence and stay updated on emerging threats.