Kara NasvigPhone giant AT&T has taken significant action by resetting millions of customer account passcodes following the discovery of a massive cache of leaked data containing AT&T customer records online earlier this month, TechCrunch has exclusively learned.
The U.S. telco giant initiated the mass-reset of passcodes after being informed by TechCrunch that the leaked data included encrypted passcodes that could potentially grant unauthorized access to AT&T customer accounts.
A security researcher who examined the leaked data informed TechCrunch that the encrypted account passcodes were susceptible to deciphering. TechCrunch promptly alerted AT&T to these findings.
In a statement provided on Saturday, AT&T disclosed that the data set, believed to be from 2019 or earlier, impacted approximately 7.6 million current AT&T account holders and about 65.4 million former account holders.
Despite the data leak, AT&T stated that it had not found evidence of unauthorized access to its systems resulting in the extraction of the data set.
TechCrunch delayed publishing this story until AT&T commenced resetting customer account passcodes. Additionally, AT&T has shared guidance for customers on how to enhance the security of their accounts.
AT&T customer account passcodes, typically four-digit numbers, serve as an additional layer of security for accessing customer accounts via phone calls to AT&T customer service, in retail stores, and online.
This marks the first time AT&T has acknowledged that the leaked data pertains to its customers, following a previous incident three years ago when a hacker claimed to have stolen 73 million AT&T customer records. Although AT&T denied a breach at that time, the source of the leak remained inconclusive.
AT&T clarified on Saturday that it is uncertain whether the data in question originated from AT&T or one of its vendors.
In 2021, the hacker responsible for the alleged AT&T breach shared only a small sample of records, making verification difficult. However, earlier this month, a data seller published the purported full 73 million AT&T records online on a known cybercrime forum, allowing for a more comprehensive analysis. AT&T customers have since verified the accuracy of their leaked account data.
The leaked data contains sensitive information, including AT&T customer names, home addresses, phone numbers, dates of birth, and Social Security numbers.
Security researcher Sam “Chick3nman” Croley noted that each record in the leaked data includes the AT&T customer’s encrypted account passcode. Croley determined that the encryption was insufficiently random, making it possible to deduce the customer’s four-digit passcode based on surrounding information in the leaked data set.
AT&T has pledged to contact all 7.6 million existing customers whose passcodes were reset, as well as current and former customers whose personal information was compromised.
