AT&T 70M User ‘Data Breach’ Record: Experts Set the Record Straight

It’s been three years since leaked data surfaced, allegedly coming from more than 70 million AT&T users — although the company is adamant the data did not come from them.

As Techopedia recently reported, cybercriminals released a sample of data that appears to contain sensitive information from 70 million AT&T users, dating from 2021. The sample includes names, phone numbers, physical addresses, email addresses, social security numbers, dates of birth, internal information, and more.

There is a considerable debate about where the information comes from, with AT&T saying that the information does not come from their systems and researchers concluding that — at the least — it is a genuine leak of customer data, whether it came from AT&T or a third party.

The leaked sample was analyzed by researchers such as HaveIBeenPwned, Dark Web Informer, and VX-Underground. All of them concluded that AT&T data being sold on a hackers’ forum is legitimate. A threat actor known as ‘MajorNelson’ is selling the data for just eight site credits — the cost for each credit, as an example, is 500 user records to 120 Euros.

Techopedia talked to experts in cybersecurity to bring some clarity into the classic hacker-said-company-said AT&T conflict and better understand the threats and legal ramifications of the attack.

Key Takeaways

Data from over 70 million AT&T users has allegedly been leaked and is being sold in hackers’ forums.

  • The data is believed to have come from a 2021 breach executed by the hacker group ShinyHunters.
  • Experts say the AT&T customer data sold online is legitimate and warn it could be used to launch targeted attacks on those affected.
  • AT&T’s response aligns with a growing trend where companies deny the breach happened or blame third-party providers.
  • Legal experts define the responsibility and accountability of AT&T under new laws, why the company might want to avoid an investigation, and why the organization could be liable.

Why Are Hackers Releasing 2021 Breached Data Now?

In 2021, when the hacking group ShinyHunters put what is allegedly AT&T data on sale for $1 million, AT&T denied that their systems had been compromised.

They say the same again today, although the company has not answered whether the breach could have originated via a third-party provider.

One of the questions this security incident poses is: why is the data from a 2021 attack surfacing now? Shawn Waldman, CEO and Founder of Secure Cyber Defense, gave Techopedia some answers:

“I’m speculating that the threat actor is hoping to capitalize on the fact that AT&T was recently in the news with the cellular outage, which, to this date, we still don’t have a post-mortem report on – and we may never have one.”

The February 2024 AT&T network service outage left tens of thousands of customers across America. AT&T is now being investigated by New York’s top prosecutors as consumer advocates call for refunds and demand higher standards.

But the AT&T February blackout is not the only reason why we might be seeing this new sensitive AT&T user data exfiltrated emerge on the dark web. Waldman believes the gaps in years since the data leak and the breach could be due to encryption challenges.

“This particular data set appears to have many of the encrypted elements from the previous breach decrypted, making it potentially much more valuable. This decryption process might explain the three-year delay before the data resurfaced.”

AT&T User Data: What Happens When Extortion Fails

While there is no confirmed information on whether the group ShinyHunters ever sold the data in 2021, the new seller has a very low asking price. This is a common technique in the underground ransomware and criminal world. Once ransomware groups breach a site, they will extort the company out of payment in more than one way.

Classic extortion techniques include threatening to leak or sell the data to the highest bidder. But even when companies comply with the criminals’ demands, bad actors often sell the data on the dark web.

Adam Marrè, CISO of Arctic Wolf, explained new extortion techniques in play today to Techopedia.

“Since December 2023, we’ve seen an increase in double extortion attacks, where threat actors will solicit payment for ransomware decryption, only to demand more money for data deletion after getting an initial payment.

“We’ve also seen other techniques to ratchet up the pressure felt by victim organizations. Threat actors are emailing contacts at victim organizations more aggressively and are even calling organizations directly to try and coerce them into making payments,” Marrè added.

“Other ways to exert pressure include the deletion of backups and disruption of other technical assets to make recovery less viable without payment.”

The Third-Party Breach Blame Defence

As cyberattacks intensify and new laws that protect users against cybercrime and mandate standards and actions upon companies emerge, breached companies are increasingly deflecting responsibility and downplaying incidents to avoid reporting them.

Technically, every company that works with third-party providers has signed contracts that establish the legal responsibilities each partner has. However, while these contracts and agreements are important to build secure security solutions, the law says that a defense based on “third-party responsibilities” does not apply in most cases.

The “blame third-party providers” defense is becoming increasingly more common. Last year, Taiwan Semiconductor Manufacturing Company (TSMC) — one of Apple’s biggest semiconductor suppliers — blamed a third-party supplier for a breach that resulted in a $70 million ransom demand from LockBit.

AT&T Exposed Users Likely Being Targeted by Criminals

Lisa McStay, COO of Continuity2, told Techopedia that the potential AT&T security incident is a common cyber problem in the business continuity and risk management area.

“I believe that what really happened is that one of AT&T’s third-party partners has been compromised, resulting in a gateway for the hacker to obtain the now leaked AT&T information.

“This is a problem I preach to my clients — when partnering with another business, it is crucial to audit their cyber defenses and enquire about their systems and processes. If you don’t…” McSay said.

McStay went on to list the consequences this incident has on the 70 million users whose information and sensitive data are circulating on the dark web.

“As a knock-on effect from this leak, the people whose information has been leaked will be subject to a host of targeted attacks, such as SMS, email phishing attacks, and even SIM swapping.”

“This, if I am correct in my assessment, could be highlighting a possible gap in knowledge and understanding for how businesses share data with each other in and during partnerships,” McStay said.

“To sum it up into an example: if you order a new phone case from Amazon, your data is then shared with the third-party delivery company that’ll deliver your package. Meaning, that Amazon customer information could be leaked if the third-party delivery company is breached.”

Waldam urged consumers to be hyper-aware that their data is likely being used for criminal or phishing purposes. Waldman called on those affected to invest in password managers and password security, enable Multi-Factor Authentication (MFA), freeze credit accounts, and migrate to FIDO/FIDO2 Passkey-based authentication. However, other analysts are looking into the legal implications of AT&T and their responsibilities to their customers.

Rishi Bhargava, co-founder of Descope said: “I think the point of the breach is less about whether the leaked data came from AT&T systems and more about the fact that leaked data of millions of users is out there on the dark web and available for malicious use.

“While the data might technically be several years old, it includes SSNs, birthdates, email IDs, and other personal information that is persistent and enough for attackers to attempt account takeover.

“When data gets leaked to the dark web, it’s important to ask the “what next” question and think like a cybercriminal. This data will probably be combined with other leaked data to carry out credential stuffing, brute force, and other identity compromise attempts. This means any app you use that has password-based credentials and security questions is at risk of compromise.

“As a consumer, some actions you can take (both in response to this leak and in general) is to adopt passwordless authentication whenever possible, always enable 2FA to stop account takeover attempts, and use strong, unique passwords in conjunction with password managers if you must use passwords for some apps.”

What Happens When There’s a Compliance Breach

Irina Tsukerman, a New York-based U.S. human rights and national security lawyer and President of Scarab Rising, Inc, explained that whether or not only some of the customers were affected or all of them, there is a fiduciary duty between a company that harbors private data and its clients in the event of incidents impacting and threatening their personal information.

Companies like AT&T must meet the legal standards of any regulation that affects their operation. In December 2023, the Federal Communications Commission (FCC) adopted new rules that modified the Commission’s 16-year-old data breach notification rules.

The new rule expands to providers of telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS). Under the rule, phone companies are accountable for protecting sensitive customers and must notify of breaches.

Tsukerman said that the FCC rule makes several notable changes to the prior rules, including broadening the definitions of a reportable “breach” and “covered data,” requiring covered entities to notify the FCC in addition to federal law enforcement of breaches, and modifying certain customer notification requirements.

While the rule is expected to become effective sometime in 2024, it expands the definitions of ‘breach’ and ‘covered data’,” as Tsukerman explained.

“It defines “breach” to include any access to, use, or disclosure of ‘covered data’ that is not authorized or that exceeds authorization. The Order states that this definition covers not only malicious activity but also inadvertent unauthorized access to, use, or disclosure of covered data.”

For breach notifications to customers, the order adopts a “harm-based trigger,” which creates a rebuttable presumption of harm that covered entities must overcome to avoid notifications, Tsukerman added.

Companies are known for stretching legal definitions to leverage loopholes in the new laws and rules, such as the FCC and the new SEC rule, appealing to ‘vague definitions’. But Tsukerman said the new law is clear.

“Essentially, covered entities do not need to notify customers if they can reasonably determine that the breach is unlikely to cause harm to customers or where the breach only involved encrypted data and the covered entities have ‘definitive evidence’ that the encryption key was not also accessed, used, or disclosed.”

The Bottom Line

While the AT&T security incident leaves many questions unanswered, experts assured Techopedia that the data leak is legitimate and puts customers at risk from cyberattacks.

Furthermore, the increasing trend of companies using the “blame your third-party provider defense” strategy does not hold much weight in a court of law, as regulations demand organizations to safeguard customer data at all costs and notify users when affected.

In the end, people may never know why the 2021 data was released in 2024, how many times it was sold, or what systems were breached. Only criminals linked to the attack know how many times this data has been sold over and over again on the dark web.

Related Terms

Related Article