A significant personal data breach affecting over 86 million AT&T customers has surfaced on the dark web, revealing fully decrypted Social Security numbers.
The stolen data was posted to a Russian cybercrime forum on June 3.
The files contain full names, birthdates, phone numbers, email addresses, home addresses, and 44 million Social Security Numbers in plain text.
The breach seems to be associated with a major cyberattack that targeted weaknesses in Snowflake, a US-based cloud storage service utilized by big corporations for sensitive data management.
It is reported that hackers gained entry to AT&T’s data by compromising accounts that did not have multi-factor authentication, a fundamental security measure that demands more than just a password for access.
To check if your data was exposed in the breach, visit the cybersecurity firm’s website at npd.pentester.com. Enter your information to see if any of your accounts were affected.
Security researchers are urging customers to monitor their credit reports and take immediate steps to protect themselves. Law enforcement is actively investigating.
The files are being widely shared across cybercrime forums, repackaged into three cleanly formatted CSV files that make them easier to access and exploit.
The files contain full names, birthdates, phone numbers, email addresses, home addresses, and alarmingly, 44 million Social Security Numbers (SSN) in plain text
AT&T said the hack impacted 86 million former and current customers. It said the Russian hacking group ShinyHunters was behind the breach.
Around 73m customers included in the hack had their data originally stolen in 2019 and were notified at the time.
However, the group appears to have accessed more records since then.
‘After analysis by our internal teams as well as external data consultants, we are confident this is repackaged data previously released on the dark web,’ said AT&T in a statement.
‘Affected customers were notified at that time. We have notified law enforcement of this latest development,’ the spokesperson added.
Cybersecurity researchers at Hackread, who first analyzed the files, found matching customer names, email addresses, physical addresses, and phone numbers across both the previous leak and the latest dataset.
The leak has been linked to the hacking group ShinyHunters, which claims to have stolen the data.
Security researchers are urging customers to monitor their credit reports and take immediate steps to protect themselves. Law enforcement is actively investigating
ShinyHunters, the group linked to both AT&T breaches, is also behind the recent Ticketmaster breach that compromised data on 560 million people.
Their growing list of high-profile leaks has prompted US lawmakers to demand answers.
Senators Richard Blumenthal (Connecticut) and Josh Hawley (Missouri) have called on both AT&T and Snowflake to explain repeated failures to protect customer data.
Experts say the exposure of decrypted SSNs and birthdates is especially damaging, as it enables criminals to open credit lines, impersonate victims, or apply for government services using stolen identities.
‘The original breach of sensitive records from AT&T was enough to worry their customers, now it poses a significant risk to their identities,’ said Thomas Richards, Infrastructure Security Practice Director at Black Duck.
AT&T paid a $370,000 ransom last year, in an attempt to have stolen customer data deleted. The payment, made in Bitcoin, was routed through an intermediary known as ‘Reddington.’
AT&T reportedly received a video showing the files being deleted, but experts say there’s no way to confirm the data wasn’t copied or shared before that.
