The Mac Security Blog

Security & Privacy

AT&T data breach exposes 70 million records; here’s how to protect yourself

Posted on by

On Saturday, March 30, AT&T issued a press release providing new details about a years-old data breach. Here’s everything you need to know, from what sensitive personal data was leaked, to what you can do to protect yourself.

In this article:

What data was exposed?

AT&T has acknowledged that customer information is out in the wild. The company stated that it still does not know whether the data originated from AT&T or one of its vendors; the source of the data is still being assessed.

The leaked data first appeared online in August 2021, nearly three years ago. At the time, AT&T stated that the company had not suffered a data breach—a position that the company has maintained up until now.

Following are the types of personally identifiable information (PII) included in the leak:

  • Full names
  • E-mail addresses
  • Mailing addresses
  • Phone numbers
  • Social security numbers
  • Dates of birth
  • AT&T account numbers
  • Passcodes

Not each customer that was exposed in this breach may have all of those data points exposed; AT&T states that the data varies by customer and account. As a precautionary measure, AT&T has reset the passcodes of the affected accounts, and said it would reach out by postal mail or e-mail to individuals with compromised sensitive personal information. AT&T said it would provide complimentary identity theft and credit monitoring services as well.

The history of the AT&T breach

In August 2021, a threat actor who self-identifies as ShinyHunters began selling a database that claimed to contain the personal information of over 70 million AT&T customers. The threat actor posted an advertisement for the sale of this data on a hacking forum. At the time, the data was only accessible to whomever paid for it.

Threat actor selling AT&T database on a hacking forum. Source: BleepingComputer

The seller has a long history of compromising websites; some past breaches include Microsoft’s GitHub, Teespring, and many more.

While AT&T denied suffering a breach, security researchers started digging. They quickly confirmed that the dataset included the details of actual customers—both current and past. At least some of the data may relate to AT&T’s customers as of 2019, but the leak may include more recent customers’ data as well.

Why is a years-old AT&T data breach back in the news?

Over the weekend, the same data was posted for free on a public hacking forum, making it instantly accessible to anyone that’ll search for it. The leaked dataset includes decrypted dates of birth and social security numbers.

Once again, security researchers quickly confirmed that the data contained the information of actual past or current AT&T customers.

Security researcher Troy Hunt also went through the data and polled some of his Have I Been Pwned subscribers to ask them if the information he found was indeed theirs—and it was. Hunt stated:

As I’m fond of saying, there’s only one thing worse than your data appearing on the dark web: it’s appearing on the clear web. And that’s precisely where it is; the forum this was posted to isn’t within the shady underbelly of a Tor hidden service, it’s out there in plain sight on a public forum easily accessed by a normal web browser. And the data is real.

Companies have a responsibility to make every reasonable effort to safeguard personally identifiable information. Exposure of such data can put individuals at risk of identity theft or other challenges. Handing over such information is, unfortunately, often the cost of doing business; you cannot become an account holder at AT&T or many other companies without sharing it. Thus, one has a reasonable expectation that a large corporation will have the resources to protect that information. On the other hand, anyone or any company can potentially be hacked or compromised, even if they try to get their security right.

What can I do to protect myself if my data was leaked?

Of course, there isn’t any way to expunge your personal information that has already been exposed. Generally speaking, you cannot change your social security number, and its exposure puts you at risk of identity theft.

Even if you have never been an AT&T customer, some of your PII may already have been exposed due to previous breaches at other companies.

So what can be done about it? There are several things you can do to protect yourself.

  1. Register your e-mail addresses with Have I Been Pwned (HIBP). This service is free and is run by the trusted security researcher Troy Hunt. HIBP notifies you if your e-mail address appears in a publicly available data dump. The site also allows you to manually check whether individual passwords are known to have been exposed.
  2. Choose a password manager that comes with data breach monitoring. For example, my password manager of choice, 1Password, has a feature called Watchtower which is integrated with Have I Been Pwned. This partnership means 1Password customers receive a notification if one of their passwords was leaked due to a data breach.
  3. Use a long, unique password for each site; never reuse passwords. This will help protect you from credential stuffing attacks, which are sometimes the source of data breaches.
  4. Enable two-factor authentication on all your accounts. This will help protect you in case your passwords leak, especially shortly after the breach occurs or after the data becomes widely available, before the company starts requiring password resets and often before HIBP notifies you that your information may have been exposed.
  5. Contact the breached company, if necessary. If you hear of a data breach at a company, service, or website with which you have an account, and HIBP doesn’t have information about the breach, you can try contacting the company to find out if your information was exposed. If so, they may offer services to help you monitor potential abuse of that data.
  6. Beware of data breach-related phishing scams. Once word of data breaches hits mainstream news, scammers may begin to send texts, e-mails, or robocalls, or buy malicious ads in Google search results, to try to phish your data. If you need to contact the breached company, do so via a bookmark you’ve previously saved in your browser, or by calling a phone number from a known-valid past communication from the company.
  7. Consider setting up fraud alerts with credit bureaus. You can set up free fraud alerts with credit bureaus such as Equifax, Experian, and TransUnion. The FTC explains that you can place a fraud alert “when you’re concerned about identity theft. It makes it harder for someone to open a new credit account in your name. It’s free and lasts 1 year.” After that year expires, you may want to renew it; consider adding an event to your calendar to ensure you don’t forget.
  8. Consider using an identity theft protection service. After a breach becomes public knowledge, major companies typically offer a free year of credit monitoring to their customers. You can sign up for these services, if you wish. Since big data breaches happen fairly often, you may be “lucky” enough to get free credit monitoring on an almost yearly basis. Alternatively, you can pay for a service on your own; Aura is a well-regarded service, but there are many out there. These services typically go beyond basic protections and can offer identity theft insurance, help you to resolve challenges resulting from identity theft or fraud, and more.
  9. Whenever possible, avoid sharing your PII. Providing personally identifiable information is often a prerequisite for signing up for banking, a mobile phone, or other services. But you can choose not to share data whenever it’s optional. Do you really need to make your birth date or phone number available to everyone on Facebook? Probably not, so try to avoid oversharing. When filling out forms, look for optional fields related to PII, and leave them blank. Sometimes online forms aren’t clear about which fields are required or optional until you try to continue, so try entering the minimum amount of information, and fill in only the fields that are required.

See also our article on how to avoid getting hacked after data breaches.

How to avoid getting hacked after data breaches

 

How can I learn more?

We discussed this AT&T data breach on episode 338 of the Intego Mac Podcast.

You may also be interested in reading about a different AT&T breach that affected 100,000 iPad users in 2010.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. View all posts by Jay Vrijenhoek →