Three years after a hacker first teased an alleged massive theft of AT&T customer data, a breach seller this week dumped the full dataset online. It contains the personal information of some 73 million AT&T customers.
A new analysis of the fully leaked dataset — containing names, home addresses, phone numbers, Social Security numbers, and dates of birth — points to the data being authentic. Some AT&T customers have confirmed their leaked customer data is accurate. But AT&T still hasn’t said how its customers’ data spilled online.
The hacker, who first claimed in August 2021 to have stolen millions of AT&T customers’ data, only published a small sample of the leaked records at the time, making it difficult to verify its authenticity.
AT&T, the largest phone carrier in the United States, said back in 2021 that the leaked data “does not appear to have come from our systems,” but it chose not to speculate as to where the data had originated or whether it was valid.
Troy Hunt, a security researcher and owner of data breach notification site Have I Been Pwned, recently obtained a copy of the full leaked dataset. Hunt concluded the leaked data was real by asking AT&T customers if their leaked records were accurate.
In a blog post analyzing the data, Hunt said that of the 73 million leaked records, the data contained 49 million unique email addresses, 44 million Social Security numbers, as well as customer dates of birth.
When reached for comment, AT&T spokesperson Stephen Stokes told TechCrunch in a statement: “We have no indications of a compromise of our systems. We determined in 2021 that the information offered on this online forum did not appear to have come from our systems. This appears to be the same dataset that has been recycled several times on this forum.”
The AT&T spokesperson did not respond to follow up emails by TechCrunch asking if the alleged customer data was valid or where its customers’ data came from.
As Hunt notes, the source of the breach remains inconclusive. And it’s not clear if AT&T even knows where the data came from. Hunt said it’s plausible that the data originated either from AT&T or “a third-party processor they use or from another entity altogether that’s entirely unrelated.”
What is clear is that even three years later, we’re still no closer to solving this mystery breach, nor can AT&T say how its customers’ data ended up online.
Investigating data breaches and leaks takes time. But by now AT&T should be able to provide a better explanation as to why millions of its customers’ data is online for all to see.
TechCrunch’s Lorenzo Franceschi-Bicchierai contributed reporting.