A new development in an old data breach has seen 73 million AT&T customer passcodes published to an underground forum, essentially making them available to the general public. The data leak also includes customer contact information, to include partial Social Security numbers in some cases.
The breach appears to have taken place in 2021, and first appeared on the radar of security researchers when the hacker offered a small sample of the data leak on a cybercrime forum. At the time it was impossible to verify the extent of their claims from what they had released, but the information they released appeared to be accurate. The incident now appears to be as bad as originally advertised, with customer contact information attached to weakly encrypted passcodes that are easily deciphered.
About 7.6 million current customers thought to be impacted by data leak
The majority of the records in the data leak, about 65.4 million, are from former customers of AT&T in 2019 or earlier. About 7.6 million are current customers, and the company has reset their passcodes.
These passcodes are encrypted, but are believed to be relatively easy for hackers to decipher. Most customers use only four digits (the minimum required), and an analysis of the data leak by security researcher Sam “Chick3nman” Croley found that there are only about 10,000 unique values amidst the tens of millions of records. Most customers likely use something that can be inferred from the other leaked information: the last four of their Social Security number, their birth year, or part of a home address, if not “1234.”
The passcodes are not used for account logins, but are essentially a form of 2FA that can become a primary authentication method when calling AT&T for assistance or visiting a retail location. A de-encrypted passcode plus the contact information that was found in the data leak (which includes names, addresses and birthdates) could very well be enough to pull off a SIM swap attack over the phone. The story was withheld from the media until AT&T could begin privately resetting codes and contacting customers about the breach, but it remains imperative for any current or former customers to change their passcode as soon as possible.
The hacking forum hosting the full data leak was not named by security researchers, but appears to have both a dark web Tor version and a version accessible over the standard web via a standard browser. The leaked data is apparently available via the standard web version, but users must create an account and pay for “web credits” to view it.
AT&T claims no material business impact, data leak may have originated from a vendor
Since the original report of a breach surfaced in 2021, AT&T has maintained that it has not found evidence of an intrusion into its internal systems. However, it now says that it is not sure if the data leak came from its internal network or from a third-party vendor. It has also stated that it expects no material impact on its operations from the incident, and that credit monitoring will be offered to impacted customers. The company has sent out notices by postal mail and email.
In 2021 the theft was attributed to a group called ShinyHunters, which did not have a sterling reputation for being honest about its exploits or delivering on its promises of stolen data. It has racked up numerous legitimate mass data breaches since 2020, however, including compromise of some other big names: Microsoft, Wattpad, Mashable and Pluto TV among them. The group has not officially disbanded but has been much less active since 2022, when a programmer member was arrested in Morocco and extradited to the United States. In early 2024 he was sentenced to three years in prison and ordered to make restitution of $5 million of stolen money.
AT&T has something of a spotty history with data leaks and breaches in recent years, though not as bad as some of its competitors in the US phone and internet service market. A third party vendor breach in January 2023 exposed nine million customer records, though AT&T claimed this was limited to basic contact information and did not involve any SSNs or PINs. In May of that year, a security researcher also disclosed a vulnerability that had allowed anyone with a target ZIP code and phone number to perform an account takeover via the AT&T website; it remains unclear to what extent it might have been abused prior to the responsible disclosure.
US customers that might not be comfortable with the state of AT&T security have little in the way of options to turn to for cellular service, however, with the few other competitors in the market having similar or worse security issues. Verizon saw two data leaks of customer and employee records in 2023, and T-Mobile has now experienced multiple serious issues for several years.
Anne Cutler, Cybersecurity Evangelist at Keeper Security, notes that the combination of information in this breach and the overall size makes it more serious than usual: “The severity of this data breach is significantly heightened because of the Personal Identifiable Information (PII), including full names, email addresses, mailing addresses, phone numbers, Social Security numbers, dates of birth, AT&T account numbers and passcodes, that were part of the compromised data. The immediate concern is the potential exploitation of this exposed data, which could lead to various malicious activities such as identity theft, phishing attacks and unauthorized access to user accounts.”
“Current and former AT&T customers should assume they’ve already been breached and act accordingly. Proactive steps individuals can and should take immediately include changing login information for their account with AT&T, getting a dark web monitoring service, monitoring or freezing their credit and practicing good cyber hygiene. By using strong and unique passwords for every account, enabling MFA everywhere possible, updating software regularly and always thinking before they click, individuals can greatly increase their personal cybersecurity. In cases where personal information is stolen, threats from the data breach persist even after it’s been discovered and contained. It is imperative for both current and former customers of AT&T to take proactive steps to protect themselves from cybercriminals using their personal information for identity theft and targeted attacks. A first step should be signing up for identity theft protection services and securing your AT&T account, as well as your other online accounts, with strong and unique passwords. A dark web monitoring service such as BreachWatch(r) can alert you if your information shows up on the dark web so that you can take immediate action. A strong password is at least 16 characters with uppercase and lowercase letters, numbers and special characters. To achieve this, it is essential to use a password manager – this will create and store high-strength random passwords for every website, application and system and further, will enable 2FA to further protect your sensitive information,” recommended Cutler.
James McQuiggan, security awareness advocate at KnowBe4, advises all AT&T customers to be on heightened alert for scam and phishing attempts as a result of this breach: “Enterprise organizations are like giant aircraft carriers, they move slow and steady and any disruptions take a while to recover or respond. This leak of personal customer information from potentially 2021 can be damaging as these types of breaches along with the uncertainty of where the data originated is problematic and could cause further financial problems down the line with customer trust, damage to the brand and potential class action suits. Nevertheless, users of any phone service provider should be aware of a data breach as soon as possible. They should also be always monitoring of their accounts, and any new accounts that are opened as cyber criminals will be leveraging this information along with their email addresses, PIN codes and social security numbers to gain access to their phone numbers, accounts to SIMJack their accounts. With a successful SIMJack, they can leverage access to other accounts that utilize SMS multi-factor authentication belonging to the victim. Users of AT&T should be vigilant with any emails with links, especially ones linking to conduct password resets or problems with their account. They should utilize the smartphone app or access the website through their own bookmark or entering the web address themselves to reduce the risk of a further attack on them.”
