AT&T acknowledged that a data leak making the rounds online contained information from more than 7.6 million current customers and 65 million former customers. The company reset the security passcodes of active customers affected, and said the leaked information “may include full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and passcode.”
AT&T contacted affected customers by “email or letter” to let them know what data was included and what it has done for customers in response.
The company’s acknowledgment that the leaked data was real – the first reports of the leak appeared in 2021 – only later. TechCrunch AT&T announced the vulnerability in its encrypted passcodes on Monday. Passcodes are typically four-digit numerical PINs used for account security during phone calls with company support or in-store verification and a security researcher’s analysis revealed that it is “easy” to decipher” the passcodes.
This FAQ states that customers can set up free fraud alerts from credit bureaus Equifax, Experian, and TransUnion. According to AT&T, the data set “appears to be from 2019 or earlier and does not contain personal financial information or call history.” The company said it is working with “external cybersecurity experts to analyze the situation,” and so far it has “no evidence of authorized access” to its systems.