Telco giant AT&T has revealed that it has suffered a massive data breach, including the personal data of a combined 73 million current and former customers.
The data appeared on the dark web approximately two weeks ago, AT&T says, adding that it appears to be “from 2019 or earlier.” It is “not yet known whether the data in those fields originated from AT&T or one of its vendors,” the company adds.
The good news is that it “does not contain personal financial information or call history.” The bad news is that it does include customer names, home addresses, phone numbers, dates of birth, Social Security numbers and encrypted passcodes.
The 7.6 million current customers impacted have had their passcodes reset, the company said, though obviously there’s less it can do for data lifted and used for identity theft.
“We will be reaching out to individuals with compromised sensitive personal information separately and offering complimentary identity theft and credit monitoring services,” says a page on the official site, where you can also find more information on how to keep your AT&T account secure in the wake of the data breach.
Passcodes, not passwords
It’s important to note that the data includes passcodes, rather than passwords. Passcodes are (typically four-digit) numbers used for extra security when accessing a customer account via phone, in store or online.
That may make the breach appear less immediately threatening to the 65.4 million former customers, but those impacted should still be vigilant if other passcodes of theirs replicate the combination.
That’s because there’s potentially enough data within the breach to guess the PIN. As security researcher Sam Croley told TechCrunch, passcode data could be unscrambled without the encryption cipher, thanks to customers’ frequent use of associated digits for their four-number passcodes. In other words, with Social Security, phone and house numbers all potentially leaked at the same time, there are a number of ready-made combinations for criminals to try.
Talk of a breach first surfaced earlier this month, when the X account @vx-underground claimed that over 70 million records were leaked onto Breached. At the time, AT&T suggested this was likely a rehash of a dataset it dismissed back in 2021.
It’s been a rough start to the year for the telco. Last month, it was forced to deny that a near day-long outage was not the result of a cyberattack.