AT&T began notifying U.S. state authorities and regulators of the security incident after confirming that millions of customer records posted online last month were authentic.
In a legally required filing with the Maine Attorney General's Office, the U.S. telecommunications giant said that more than 51 million people, including about 90,000 people in Maine, had their personal information compromised in the data breach. He said he had sent a letter informing them.
AT&T, the largest U.S. telecommunications company, said the compromised data included customers' names, email addresses, addresses, dates of birth, phone numbers and Social Security numbers.
AT&T said the leaked customer information dates back to before mid-2019, but the records contained valid data on more than 7.9 million current AT&T customers.
AT&T took action nearly three years after some of the leaked data first appeared online, which prevented meaningful data analysis. A complete cache of 73 million leaked customer records was dumped online last month, allowing customers to verify that their data is real. Some records contained duplicates.
The leaked data also included encrypted account passcodes that allow access to customer accounts.
Shortly after the full data set was made public, a security researcher informed TechCrunch that the encrypted passcodes found in the leaked data were easy to crack. After TechCrunch warned AT&T on March 26 that it posed a risk to customers, AT&T reset the passcodes on these accounts. TechCrunch deferred this story until AT&T completes the process of resetting passcodes for affected customers.
AT&T eventually acknowledged that the leaked data belonged to its customers, including about 65 million former customers.
Companies that experience a data breach that affects a large number of people are required to disclose the incident to the U.S. Attorney General under state data breach notification laws. AT&T said in a notice filed with the state of Maine that it is offering identity theft and credit monitoring to affected customers.
AT&T has not yet determined the cause of the breach.