AT&T confirmed in March 2024 that a dataset containing the personal information of approximately 73 million current and former customers had been leaked online. The data included Social Security numbers, account passcodes, and personal details. Here's what happened and what you should do.
In March 2024, AT&T confirmed what security researchers had been saying for three years: a massive dataset containing the personal information of tens of millions of customers was real, and it had originated from AT&T's systems.
The data had first appeared online in 2021, when a hacker offered to sell what they claimed was AT&T customer data for $1 million. AT&T denied at the time that the data had come from them. The data then disappeared from public view for several years — only to resurface in March 2024 on a cybercriminal forum, this time freely available to anyone who wanted it.
AT&T's response when the data resurfaced was to finally acknowledge it. The company confirmed that a dataset of approximately 73 million current and former customers had been leaked, and that it contained sensitive personal information including, in many cases, Social Security numbers.
The admission that AT&T had been holding all this time — that 73 million people's sensitive data had been floating around criminal networks — represented one of the more significant disclosures in recent memory. And the delay between when the breach apparently occurred and when the company publicly acknowledged it raised serious questions about corporate responsibility in the data breach era.
The AT&T dataset, based on analysis by security researchers and confirmed in broad terms by the company, included:
The account passcodes were among the most immediately dangerous elements of the breach. AT&T uses these passcodes as an authentication mechanism — if you call AT&T to ask about your account, change your service, port your number to a new carrier, or make changes that require identity verification, you'll be asked for this code. With someone's name, account number, and passcode, an attacker could potentially impersonate them to AT&T customer service with significant effectiveness.
This has specific and serious implications for SIM swapping — a fraud technique in which an attacker convinces a carrier's customer service representatives to transfer the victim's phone number to a SIM card controlled by the attacker. SIM swapping is used to hijack SMS-based two-factor authentication, drain cryptocurrency wallets, and take over other accounts. Having a valid customer passcode makes a SIM swap attempt far more credible.
To understand why the passcode exposure was particularly damaging, it helps to be precise about what AT&T's passcode actually is. Unlike the password used to log into AT&T's online account portal, the account passcode — sometimes called an account PIN — is a short numeric code, typically four digits, that customers set when establishing service. It serves as an identity verification credential for in-person store visits and telephone interactions with AT&T representatives. A customer service agent who confirms a caller knows the correct passcode will generally proceed with account changes, including — critically — number ports to a different carrier. AT&T stored these passcodes in hashed form, but researchers who analysed the leaked dataset reported being able to reverse a significant proportion of the hashed values within hours, using commodity hardware and precomputed tables. AT&T acknowledged this in its March 2024 disclosure and said it had proactively reset account passcodes for the approximately 7.6 million current customers confirmed in the dataset.
The Social Security numbers in the dataset — present for the majority of the 73 million records, according to AT&T's disclosure — are the longest-lasting risk. Social Security numbers don't change. Unlike a password or even a phone number, a leaked SSN remains a liability forever. Criminals can use SSNs to file fraudulent tax returns, open new credit accounts, apply for government benefits, or commit medical identity theft. The damage can take years to surface and years more to correct.
AT&T's disclosure was somewhat evasive on the precise origins of the breach. The company said it was "not yet able to determine" whether the leaked data came from AT&T itself or from a third-party vendor, and that the data appeared to be from 2019 or earlier based on characteristics of the records.
This hedging frustrated security researchers and regulators alike. The breach apparently affecting 73 million people — potentially including some 65 million former customers and approximately 7.6 million current account holders — had been available on criminal markets in some form since at least 2021. The question of why it took until March 2024 for the company to publicly acknowledge it, and why the company initially denied it was their data, was never fully answered.
The timeline of the dark web activity is worth reconstructing. Security researchers first noted the AT&T dataset being offered for sale on criminal forums around August 2021. The seller — operating under the handle "ShinyHunters" in at least some accounts — was asking $1 million for exclusive access. AT&T denied at the time that any breach had occurred. The dataset then largely dropped from public view, circulating in restricted criminal communities before resurfacing on a public hacking forum called BreachForums in March 2024, where it was made freely available to any registered user. The gap between first appearance (2021) and public acknowledgement (2024) is roughly three years — a period during which the data was presumably circulating among buyers whose identities remain unknown.
The ShinyHunters group, the same criminal network linked to the Ticketmaster breach and multiple other large-scale data theft operations, has been connected to the initial 2021 offer to sell the AT&T data. Whether ShinyHunters was directly responsible for the breach itself, or had obtained the data from another source, was not definitively established. What is clearer is that ShinyHunters was also the group behind the Snowflake credential-stuffing campaign that fuelled the separate July 2024 AT&T communications-records breach, along with parallel breaches at Ticketmaster, Santander Bank, and several other large organisations. That campaign exploited the absence of multi-factor authentication on Snowflake cloud accounts — a single-point vulnerability that cascaded across multiple large enterprises simultaneously. The FCC opened a formal investigation into AT&T's data security practices following the March 2024 disclosure, examining both the underlying security failures and the company's notification timeline. That inquiry fed into the $13 million settlement finalised in September 2024, though that settlement related specifically to the July communications-records breach rather than the March personal-data disclosure. Regulators have noted publicly that investigations into the earlier incident remain ongoing.
In July 2024, AT&T disclosed a separate and distinct breach that compounded the situation considerably.
In this incident, AT&T revealed that the call and text metadata of "nearly all" of its wireless customers — and customers of mobile virtual network operators that use AT&T's network — had been illegally downloaded from an AT&T workspace on the Snowflake cloud platform. The same Snowflake environment that was targeted in attacks against Ticketmaster and other companies.
The data exposed in this second incident was different in character from the March disclosure. Rather than the kind of personal information used for identity theft, the July breach exposed call and text records: who called whom, when, and for how long. For approximately 51 million customers, the records also included cell tower location data, which could be used to reconstruct a person's physical movements.
The combination of the two breaches — personal identifiers from the March disclosure and communications metadata from the July incident — represented a remarkably comprehensive surveillance dataset.
AT&T confirmed it had paid approximately $370,000 to the hacker responsible for the July breach to delete the data and provide proof of deletion. The FBI and DOJ approved a temporary delay in the public disclosure to allow law enforcement to conduct its investigation; a suspect was later arrested.
The March 2024 breach triggered FCC scrutiny. The Federal Communications Commission is responsible for ensuring that telecommunications companies protect customer data under the terms of the Communications Act. AT&T's apparent multi-year delay in acknowledging a breach of 73 million customer records — and the initial denial that the data came from their systems — raised questions about compliance with breach notification obligations.
Multiple class-action lawsuits were filed in the days following the March disclosure. The plaintiffs alleged that AT&T had failed to adequately secure customer data, failed to timely notify customers of the breach, and had misled customers about the security of their information.
AT&T negotiated a settlement with the FCC in September 2024 over the July communications-records breach, paying a civil penalty of $13 million. The company neither admitted nor denied the allegations.
If you are or were an AT&T customer, you should take the following steps:
Reset your AT&T account passcode immediately. Log into your AT&T account online or visit a store. Your passcode is typically a four-digit PIN. Change it to something unique — not your birthday, address, or any number that appears elsewhere in your personal information. AT&T reset passcodes for affected accounts after the March breach, but it's worth confirming your current passcode and changing it if you haven't recently.
Add an account PIN or password at the carrier level. Ask AT&T about additional account security options, including "number lock" or "port freeze" features that restrict the ability to transfer your phone number to a new carrier without additional verification steps. This directly reduces SIM swapping risk.
Place a credit freeze with all three major bureaus. With Social Security numbers and personal details in the breach, new account fraud is the primary financial risk. A credit freeze prevents new credit from being opened in your name. It's free and reversible. We cover this process in detail in our step-by-step guide to freezing your credit.
Check whether your data was included. AT&T notified affected customers by email after the March 2024 disclosure. If you didn't receive a notification, you can contact AT&T customer support to confirm whether your account was affected.
Monitor your credit reports at AnnualCreditReport.com. With free weekly access to reports from all three bureaus, you can spot new accounts or inquiries you don't recognise.
Be alert to SIM-swapping attempts. Signs include your phone suddenly losing service unexpectedly, receiving texts about account changes you didn't request, or finding you can't make calls or access your mobile data. If your phone loses service unexpectedly, contact your carrier immediately from another device.
Treat any communications purportedly from AT&T with caution. Attackers who have your AT&T account details may craft convincing phishing emails or text messages that appear to be from the company. If you receive unexpected communications about your account, contact AT&T through official channels rather than following any links in the message.
The AT&T breach and its sequel are part of a pattern that, seen in aggregate, reveals something important about how telecommunications companies treat customer data — and how regulatory oversight has failed to keep pace with the consequences of getting it wrong.
Telecom companies hold uniquely sensitive data. They know who you call. They know where your phone is. They can, if someone impersonates you effectively enough, reroute your phone number and effectively hijack your digital identity. The Social Security numbers, passcodes, and personal details that telecommunications carriers collect for account verification represent exactly the kind of information that causes lasting harm when it escapes.
As we reported in our coverage of the 23andMe breach, large organisations routinely collect far more personal data than they need for their core business, hold it for far longer than necessary, and secure it far less rigorously than the sensitivity of that data demands. The practical consequence is that breaches of this scale — affecting tens of millions of people — have become routine.
The gap between the scale of these incidents and the consequences for the organisations responsible continues to yawn. $13 million in FCC penalties for a breach of phone records belonging to most of the country's wireless subscribers is not a deterrent at AT&T's revenue scale. Until that changes, the incentives to invest in the security infrastructure that might prevent these breaches remain weaker than they need to be.
For individuals, the lesson is the same as it always is: assume your data is out there, act accordingly, and take the specific protective steps — credit freeze, unique passwords, account security features — that reduce what criminals can do with it.
References:
A hacking group called ShinyHunters claims to have stolen the personal data of 560 million Ticketmaster customers, including names, addresses, phone numbers, and partial payment card details. Here's what happened and what you should do.
A Chinese state-sponsored hacking group called Volt Typhoon has spent years quietly burrowing into US power grids, water systems, ports, and telecommunications networks — not to steal data, but to position themselves to cause chaos if a conflict over Taiwan ever begins.
Genetic testing company 23andMe confirmed that hackers accessed the personal data of 6.9 million users. Your DNA wasn't stolen, but your ancestry data, family connections, and personal details may have been. Here's what you need to know.
