Three years after a hacker first teased a massive theft of AT&T customer data, a vulnerability seller put the complete set of data online this week. It contains the personal information of approximately 73 million AT&T customers.
New analysis of the fully leaked profile, which contains names, home addresses, phone numbers, Social Security numbers and dates of birth, shows they are genuine. Some AT&T customers have confirmed that their leaked customer information is accurate. But AT&T still hasn’t revealed how its customer data was leaked online.
The hacker first claimed to have stolen the data of millions of AT&T customers in August 2021, and only a small sample of the leaked records was released at the time, making it difficult to verify its authenticity.
AT&T, the largest U.S. phone carrier, said back in 2021 that the leaked data “does not appear to have come from our systems,” but it chose not to speculate on its origin or whether it was valid.
Troy Hunt, a security researcher and owner of the breach notification website Have I Been Pwned, recently obtained a copy of the complete leaked set. Hunter determined that the leaked information was authentic by asking AT&T customers whether the leaked records were accurate.
Hunt said in a blog post analyzing the data that of the 73 million leaked records, the data contained 49 million unique email addresses, 44 million Social Security numbers and customers’ dates of birth.
When reached for comment, AT&T spokesman Stephen Stokes told TechCrunch in a statement: “We have no indication that our systems were compromised. We determined in 2021 that the information provided on the online forum did not appear to come from Our system. This appears to be the same dataset that has been reused multiple times on this forum.”
An AT&T spokesperson did not respond to a follow-up email from TechCrunch asking whether the alleged customer data was valid or where the customer data came from.
As Hunt noted, the source of the breach remains unconfirmed. It’s unclear whether AT&T knows where the data comes from. Hunter said the data could come from AT&T or “a third-party processor that they use, or from another entity that’s completely unrelated.”
What’s clear is that even three years later, we’re still no closer to solving this mysterious leak, and AT&T can’t reveal how its customer data ended up online.
Investigating data breaches and leaks takes time. But now AT&T should be able to better explain why millions of customers’ data is online for everyone to see.
TechCrunch’s Lorenzo Franceschi-Bicchierai contributed reporting.
