AT&T says data from 73 million accounts was leaked on the dark web

(Bloomberg) — AT&T said the personal data of about 73 million current and former customers was leaked to the dark web, prompting it to reset 7.6 million account passcodes.

Most read from Bloomberg

The data, which included 65.4 million former customers, was leaked to the dark web about two weeks ago. The information disclosed may have included customers' full name, email, mailing address, phone number, Social Security number, date of birth, AT&T account number and passcode, the company said in an email to consumers. It appears to contain no personal financial information or call history.

AT&T said Saturday in a statement that the data appears to be from 2019 or earlier. The source of the data is still under investigation, according to AT&T, and it is not known whether it came from the company or the vendor.

Shares closed little changed at $17.50 after falling nearly 3% Monday morning.

Read more: AT&T outage resulting from company's work to expand network

AT&T said it had no evidence of unauthorized access to its systems, and that the leak had not had a material impact on its operations as of Saturday.

“The company is proactively reaching out to those affected and will provide credit monitoring at our expense where possible,” the statement read.

AT&T has been sued over the data breach, with a class action lawsuit filed on March 30 in the U.S. District Court for the Northern District of Texas saying the company recklessly retained customers' personally identifiable information and failed to take measures to secure its system.

The latest data leak comes about three years after a hacker known as ShinyHunters claimed to have stolen the personal information of about 70 million AT&T customers, according to reports from BleepingComputer at the time. AT&T denied at the time that it was the victim of the data breach, saying the stolen information did not come from its own systems.

The story continues

The hacker only released a small sample of records in 2021, and was selling them for a starting price of $30,000, according to media reports at the time. ShinyHunters had previously taken credit for breaches against other US companies, only to publish databases of stolen data after apparently failing to convince other Dark Web users to pay for it.

TechCrunch previously reported on the latest leak after the data vendor posted the entirety of AT&T's alleged 73 million records on a cybercrime forum. TechCrunch said it informed AT&T of the leak last week and halted publication of its article until the company could begin resetting the passcodes.

AT&T is the third-largest retail wireless carrier in the United States, after Verizon Communications Inc. and T-Mobile US Inc., according to data compiled by Bloomberg. In February, the company experienced a widespread outage that took hours to resolve, prompting the federal government to launch an investigation.

T-Mobile in 2022 agreed to pay $350 million to settle a class action lawsuit after the records of more than 50 million customers were leaked. The following year, it revealed another major breach of customer information about about 37 million subscribers.

(Updates with information about the leaked data in the second paragraph and the lawsuit in the sixth paragraph.)

Most read from Bloomberg Businessweek

©2024 Bloomberg L.P