Three years after hackers first teased AT&T's alleged grand theft of customer data, a compromising vendor leaked the complete data set online this week. This includes the personal information of approximately 73 million of his AT&T customers.
New analysis of the complete leaked dataset, including names, home addresses, phone numbers, social security numbers, and dates of birth, shows that the data is real. Some AT&T customers have confirmed that the leaked customer data is accurate. However, AT&T has not yet disclosed how its customers' data ended up online.
The hacker first claimed to have stolen millions of AT&T customer data in August 2021, but he only released a small portion of the leaked records at the time, making it difficult to verify their authenticity. was.
AT&T, the largest U.S. phone company, said in 2021 that the leaked data “does not appear to come from our systems,” but chose not to speculate on its origin or whether it was valid. did.
Troy Hunt, a security researcher and owner of data breach notification site Have I Been Pwned, recently obtained a copy of the entire leaked data set. Mr. Hunt asked AT&T customers if the leaked records were accurate and concluded that the leaked data was genuine.
In a blog post analyzing the data, Hunt said that of the 73 million records that were leaked, the data included 49 million unique email addresses, 44 million Social Security numbers, and customers' dates of birth. He said it was included.
Asked for comment, AT&T spokesperson Stephen Stokes told TechCrunch in a statement: We have determined in 2021 that the information provided in this online forum does not appear to originate from our systems. This appears to be the same dataset that has been recycled several times on this forum. ”
An AT&T spokesperson did not respond to TechCrunch's follow-up email asking if the alleged customer data was valid or where it came from.
As Hunt points out, the cause of the breach remains inconclusive. It's also unclear whether AT&T knows where the data is coming from. Hunt said the data likely came from either AT&T or “a third-party processor that AT&T uses, or another completely unrelated entity.”
What's clear is that three years later, we're still no closer to solving this mysterious breach, and AT&T still can't say how its customers' data ended up online.
Investigating data breaches and leaks takes time. But now AT&T should be able to offer a better explanation for why millions of customers' data is available for anyone to view online.