The personal information of more than 70 million current and former AT&T customers was leaked after a data breach that occurred two weeks ago, the company announced Saturday.
Information could have included names, Social Security numbers, birth dates, email addresses, mailing addresses and AT&T account numbers and passcodes, according to the company.
“It has come to our attention that a number of AT&T passcodes have been compromised,” a statement on the company website read.
But the company does not know exactly where the breach occurred, saying it could have come from a vendor and not AT&T itself: “AT&T does not have evidence of unauthorized access to its systems resulting in theft of the dataset.”
In all, 7.6 million current customers were impacted and have been contacted to reset their codes, a numerical PIN that is usually four numbers.
People with leaked information will receive an email or letter explaining the incident and what information is believed to be compromised.
The company said data-specific fields were contained in a dataset released on the dark web.
“While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors,” according to the company’s statement.
A preliminary analysis showed data appears to be from 2019 or earlier, affecting about 7.6 million current AT&T account holders and 65.4 million former account holders.
Customers are encouraged to monitor account activity and credit reports and visit the company website for instructions on how to reset their passcode.
TechCrunch, a technology news site, reported the breach may have occurred in 2021 but AT&T denied it at that time. The site reports a hacker claimed responsibility for the attack that year but didn’t post enough data to determine if the breach was authentic.
Earlier this month, according to TechCrunch, a data seller published 73 million alleged AT&T records online on a known cyber crime forum, and AT&T customers have confirmed the data is accurate.
TechCrunch informed AT&T of the dataset Monday, telling the cellphone giant that “the leaked data contained encrypted passcodes that could be used to access AT&T customer accounts.”
TechCrunch said it delayed publishing an article on the breach until AT&T could begin resetting customer account passcodes.
