Phone giant AT&T has reset millions of customer account passcodes after a huge cache of data containing AT&T customer records was dumped online earlier this month, TechCrunch has exclusively learned.
The U.S. telco giant initiated the passcode mass-reset after TechCrunch informed AT&T on Monday that the leaked data contained encrypted passcodes that could be used to access AT&T customer accounts.
A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher. TechCrunch alerted AT&T to the security researcher’s findings.
In a statement provided Saturday, AT&T said: “AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.”
“AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set,” the statement said.
TechCrunch held the publication of this story until AT&T could begin resetting customer account passcodes. AT&T also has a post on what customers can do to keep their accounts secure.
AT&T customer account passcodes are typically four-digit numbers that are used as an additional layer of security when accessing a customer’s account, such as calling AT&T customer service, in retail stores, and online.
This is the first time that AT&T has acknowledged that the leaked data belongs to its customers, some three years after a hacker claimed the theft of 73 million AT&T customer records. AT&T had denied a breach of its systems, but the source of the leak remains inconclusive.
AT&T said Saturday that “it is not yet known whether the data in those fields originated from AT&T or one of its vendors.”
In 2021, the hacker claiming the AT&T breach posted only a small sample of records, making it difficult to check if the data was authentic. Earlier in March, a data seller published the full 73 million alleged AT&T records online on a known cybercrime forum, allowing for a more detailed analysis of the leaked records. AT&T customers have since confirmed that their leaked account data is accurate.
The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and Social Security numbers.
The security researcher told TechCrunch that each record in the leaked data also contains the AT&T customer’s account passcode in an encrypted format. The researcher double-checked their findings by looking up records in the leaked data against AT&T account passcodes known only to them.
This is breaking news. More to come…