Nearly three years after RestorePrivacy first broke the AT&T breach by the prolific hacking group ShinyHunters, AT&T has finally admitted today that there was a breach. AT&T has determined that the data a threat actor published on a hacker forum two weeks ago is theirs, impacting 73 million current and former customers.
AT&T is a multinational telecommunications service provider headquartered in Dallas, Texas. It’s the world’s fourth-largest telecom company by revenue and the largest wireless carrier in the United States.
On March 17, 2024, a threat actor using the name ‘MajorNelson’ published samples of a massive database they claimed to be the product of an August 2021 breach organized by the notorious data broker’ ShinyHunters,’ who attempted to sell it for $1,000,000. The database, which contains sensitive information such as full names, email addresses, phone numbers, home addresses, and SSNs, remained undisclosed for years, until MajorNelson leaked it on the ‘Breach’ hacker forums a few weeks ago.
Restore Privacy
Going back to 2021, AT&T denied ShinyHunters’ allegations of the breach, as we covered in our original news article that first broke the story.
Similarly, a few weeks ago, AT&T continued to deny any breach and refuted MajorNelson’s more recent claims, stating to RestorePrivacy that they had no indications of a compromise on its systems.
Regarding the recently-leaked data, an AT&T spokesperson told RestorePrivacy that it appeared to be the same dataset that has been “recycled” several times in underground forums, and the data did not come from them.
Following the full release of the data in March of this year, cybersecurity researcher Troy Hunt, from HaveIBeenPwned, analyzed the data and ultimately concluded that it appeared authentic, despite AT&T denying the “alleged” breach. Mr. Hunt reached out to some of the affected users within the breach, many of whom confirmed the authenticity of the data, including unique emails that were only used with AT&T services.
Troyhunt.com
After three years of official denial since we first broke the news, AT&T finally reversed its stance earlier today.
Three years later, AT&T admits the authenticity of the breached data
Today, AT&T has taken a significant step by acknowledging via a statement that its customers have been impacted by the data breach, despite the data not being stolen directly from them.
“AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web approximately two weeks ago. While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors.”
AT&T
AT&T says it is still in the process of determining the data source, engaging with internal and external cybersecurity experts for the purpose.
Interestingly, the hacking group behind the breach, ShinyHunters, predicted this outcome. All the way back in 2021, ShinyHunters told RestorePrivacy that AT&T would continue to deny the breach until the data was fully released. Nearly three years later, the hacker’s statements have been proven to be correct.
I think they will keep denying until I leak everything
–ShinyHunters statement to RestorePrivacy (2021)
So far, preliminary analysis has shown that the data is from 2019 and earlier and impacts 7.6 million current AT&T account holders and another 65.4 million former account holders.
AT&T urges both categories of users to visit this dedicated portal on account security and follow the instructions to keep their accounts and online presence safe. Those with active accounts will have to reset their passwords out of an abundance of caution. All impacted individuals will receive a personalized email and letter in the upcoming period that determines exactly what data types were compromised in their case.
AT&T finally states that its systems remain secure and show no signs of being directly compromised, and this incident did not impact its telecommunication service operations.
Troy Hunt has included data from the breach in HaveIBeenPwned, allowing people to search the database here.