AT&T logo

AT&T says a massive trove of data impacting 71 million people did not originate from its systems after a hacker leaked it on a cybercrime forum and claimed it was stolen in a 2021 breach of the company.

While BleepingComputer has not been able to confirm the legitimacy of all the data in the database, we have confirmed some of the entries are accurate, including those whose data is not publicly accessible for scraping.

The data is from an alleged 2021 AT&T data breach that a threat actor known as ShinyHunters attempted to sell on the RaidForums data theft forum for a starting price of $200,000 and incremental offers of $30,000. The hacker stated they would sell it immediately for $1 million.

ShinyHunters attempting to sell alleged AT&T data
ShinyHunters attempting to sell alleged AT&T data
Source: BleepingComputer

AT&T told BleepingComputer then that the data did not originate from them and that its systems were not breached.

"Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems," AT&T told BleepingComputer in 2021.

When we told ShinyHunters that AT&T said the data did not originate from them, they replied, "I don't care if they don't admit. I'm just selling."

AT&T continues to tell BleepingComputer today that they still see no evidence of a breach in their systems and still believe that this data did not originate from them.

BleepingComputer asked AT&T if it was possible the data came from a third-party service provider or vendor but has not received a response at this time.

Alleged AT&T data leaked two years later

Today, another threat actor known as MajorNelson leaked  data from this alleged 2021 data breach for free on a hacking forum, claiming it was the data ShinyHunters attempted to sell in 2021.

Post on hacking forum leaking alleged AT&T data from 2021 breach
Post on hacking forum leaking alleged AT&T data from 2021 breach
Source: BleepingComputer

This data includes names, addresses, mobile phone numbers, encrypted date of birth, encrypted social security numbers, and other internal information.

However, the threat actors have decrypted the birth dates and social security numbers and added them to another file in the leak, making those also accessible.

BleepingComputer has reviewed the data, and while we cannot confirm that all 73 million lines are accurate, we verified some of the data contains correct information, including social security numbers, addresses, dates of birth, and phone numbers.

This was done by confirming the leaked data with people I know who were impacted and verifying that many of the listed users have online AT&T accounts.

Furthermore, other cybersecurity researchers, such as Dark Web Informer, who first told BleepingComputer about the leaked data, and VX-Underground have also confirmed some of the data to be accurate.

At the same time, BleepingComputer could not find data for people known to be AT&T customers in 2021 and earlier. However, this would not be unusual as their total mobile customer base at the end of 2021 was 201.8 million subscribers, meaning that if this data dump is legitimate, it is only a partial dump.

At this point, it's a mystery where the data came from. Still, regardless of where it originated, all signs point to this being data of AT&T customers.

Therefore, if you were an AT&T customer before and through 2021, it is safer to assume that your data was exposed and can be used in targeted attacks, including SMS and email phishing and SIM swapping attacks

If you receive any SMS texts or phishing emails claiming to be from AT&T, be very careful about providing any information. Instead, contact AT&T directly to confirm that they attempted to contact you.

This is a developing story.

Related Articles:

Cisco says DevHub site leak won’t enable future breaches

Leaked info of 122 million linked to B2B data aggregator breach

Interbank confirms data breach following failed extortion, data leak

UnitedHealth says data of 100 million stolen in Change Healthcare breach

Internet Archive hacked, data breach impacts 31 million users