PSA: AT&T Customer? Change Your Password and Check Your Credit File

AT&T has just acknowledged a massive data breach affecting millions of its customers—both current and former—that exposed not only account passwords but also more sensitive information like names, addresses, and even Social Security Numbers.

After a substantial data set of AT&T customer records was posted online earlier this month, a security researcher analyzed the data and told TechCrunch that it contained encrypted account passwords that were “easy to decipher.” TechCrunch subsequently altered AT&T to these findings, prompting the telecom giant to reset millions of customer account passcodes in response.

On Saturday, AT&T told TechCrunch that it had begun a “robust investigation supported by internal and external cybersecurity experts.” So far, it believes the leaked data comes from 2019 or earlier and that it impacts approximately 7.6 million current AT&T customers, and 65.4 million former customers.

Although a hacker claimed to have stolen 73 million AT&T customer records three years ago, the company denied any breach of its systems at the time. The 2021 disclosure includes only “a small sample” of the records, so nobody was certain if the data was authentic, and the matter was quickly forgotten until a data seller published the full 73 million on a known cybercrime forum in early March.

At that point, AT&T confirmed that the leaked data is indeed accurate, although the source of the leak remains unclear, with the company saying “it is not yet known whether the data in those fields originated from AT&T or one of its vendors.”

AT&T has also published a webpage about the leak, noting that it has reset the account passcodes of the 7.6 million impacted customers who are still with AT&T.

While there’s no need to reset passcodes for those who are no longer customers, the carrier says it “will be communicating with current and former account holders with compromised sensitive personal information,” although it emphasizes that no “personal financial information or call history” is included in the leaked data.

To the best of our knowledge, the compromised data appears to be from 2019 or earlier and does not contain personal financial information or call history.AT&T

Nevertheless, TechCrunch confirmed that the data does include customers’ names, home addresses, phone numbers, dates of birth, and Social Security numbers — all of which are enough to give criminals an edge to begin conducting identity-related fraud, such as trying to take out loans, credit cards, or lines of credit in another person’s name.

As a result, AT&T recommends anyone affected keep an eye on their credit reports in case anything suspicious shows up so they can deal with it immediately.

We encourage customers to remain vigilant by monitoring account activity and credit reports. You can set up free fraud alerts from nationwide credit bureaus — Equifax, Experian, and TransUnion. You can also request and review your free credit report at any time via Freecreditreport.com.AT&T

Although the account passcodes in the data dump were encrypted, security researchers noted that they were trivial to decipher since they’re typically only four digits. Many customers use numbers that are easy to remember, such as the last four digits of a Social Security number, phone number, or the year of their birth—all data that also conveniently happened to be included in the data dump.

This data, combined with the limited number of possibilities for a four-digit passcode, allowed security researcher Sam “Chick3nman” Croley to decipher nearly every passcode in the file.

By correlating encrypted account passcodes to surrounding account data — such as customer dates of birth, house numbers, and partial Social Security numbers and phone numbers — Croley was able to reverse-engineer which encrypted values matched which plaintext passcode.TechCrunch

The more challenging ones were those who used more than four digits for their passcode, again demonstrating why you should always use a longer passcode. Many folks don’t realize that it’s possible to use more than four digits for most of these codes; even most banks and ATMs will accept PINs longer than four digits, and every additional digit makes your PIN all that much harder to crack — as long as it’s not something obvious like your birthday, of course.

Meanwhile, if you’re currently an AT&T customer who was affected by the breach, your passcode should have already been reset, but it’s not a bad idea to change it even if AT&T hasn’t contacted you. If you’re a former customer, you don’t have an AT&T account to worry about, but you should keep an eye on your credit file. AT&T says it will be sending out emails and letters to former customers, but those will be sent to the last address the company had on file, so you may not hear from them if you’ve moved since then. For more information, you can ?visit AT&T’s “Keeping your account secure” page?.