AT&T is sending data breach notifications to 51 million former and present clients, warning them that their private knowledge was uncovered in a hacking discussion board. Nonetheless, the corporate has nonetheless not disclosed how the information was obtained.
These data breach notifications are associated to the current leak of a large quantity of AT&T buyer knowledge on the Breach hacking boards that was beforehand being offered for $1 million in 2021.
When the AT&T knowledge was first up on the market by the risk actor ShinyHunters in 2021, AT&T instructed BleepingComputer that the information didn’t belong to them and that their programs weren’t breached.
Final month, when one other risk actor often known as ‘MajorNelson’ leaked the whole dataset on the hacking discussion board, AT&T as soon as once more instructed BleepingComputer that the information didn’t originate from them and their programs weren’t breached.
After BleepingComputer confirmed that the information belonged to AT&T and DirectTV accounts and TechCrunch reported AT&T passcodes have been within the knowledge dump, AT&T lastly confirmed that the information belonged to them.
Whereas the information leak contained the information for over 70 million individuals, AT&T is now saying that it impacted a complete of 51,226,382 clients.
“The [exposed] data assorted by particular person and account, however could have included full identify, electronic mail handle, mailing handle, cellphone quantity, social security quantity, date of delivery, AT&T account quantity and AT&T passcode,” reads the notification.
“To the very best of our information, private monetary data and name historical past weren’t included. Primarily based on our investigation up to now, the information seems to be from June 2019 or earlier.”
BleepingComputer contacted AT&T to ask why there may be such a big distinction in impacted clients however has not heard again by the point of publication.
The corporate has nonetheless not disclosed how the information was stolen and why it took them nearly 5 years to verify the information belonged to them and alert clients.
Moreover, the corporate instructed the Maine’s Lawyer Normal’s Workplace that they first discovered of the breach on March 26, 2024, but BleepingComputer first contacted them about it on March seventeenth and it was initially on the market in 2021.
Whereas it’s doubtless too late as the information has been privately circulating for years, AT&T is providing one yr of id theft safety and credit score monitoring companies by way of Experian, with directions enclosed within the notices. The enrollment deadline was set to August 30, 2024, however uncovered individuals ought to transfer a lot quicker to guard themselves.
Recipients are urged to remain vigilant, monitor their accounts and credit score reviews for suspicious exercise, and deal with unsolicited communications with elevated warning.
For the admitted security lapse and the large delay in verifying the data breach claims and informing affected clients accordingly, AT&T is dealing with a number of class-action lawsuits within the U.S.
Contemplating that the information was stolen in 2021, cybercriminals have had ample alternative to use the dataset and launch focused assaults in opposition to uncovered AT&T clients.
Nonetheless, the dataset has now been leaked to the broader cybercrime group, exponentially growing the chance for former and present AT&T clients.
