WFAA reports that AT&T has begun notifying about 7.6 million current AT&T account holders and 65.4 million former account holders whose data recently leaked online. The data set includes information such as Social Security numbers.
It is unknown if the data “originated from AT&T or one of its vendors,” the company said in a recent statement, which is slightly different than what it said in 2021 when the data was listed for sale on a hacking forum by “ShinyHunters.”
At that time, AT&T initially claimed that they had not experienced any breach and the data was not from their systems. They said they did not know if it might be from a vendor partner, but they also never indicated that they were checking with their partners to inquire.
The threat actors never have revealed exactly how they obtained the data or from what systems.
As Troy Hunt recently reported on HaveIBeenPwned.com, when he added 49 million records to his site:
In March 2024, tens of millions of records allegedly breached from AT&T were posted to a popular hacking forum. Dating back to August 2021, the data was originally posted for sale before later being freely released. At the time, AT&T maintained that there had not been a breach of their systems and that the data originated from elsewhere. 12 days later, AT&T acknowledged that data fields specific to them were in the breach and that it was not yet known whether the breach occurred at their end or that of a vendor.
In a recent statement to TechCrunch, who had alerted AT&T to a researcher’s findings that the passcodes in the leak were easy to decipher, AT&T stated, “AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.”
Although some news outlets are reporting that the data are on the “dark web,” the situation and risk were even greater because the data were also on the “clearnet,” that part of the internet that everyone and their grandparents can access just by plugging a URL into their usual browser.
So why did it take AT&T until 2024 to force a password reset and notify people when the data were circulating beginning in 2021? Should they have taken action to identify what vendor partner might have been compromised? Should they have forced password resets on the premise of “better safe than sorry?”