Three years after a hacker first teased an alleged large theft of AT&T buyer information, a breach vendor this week dumped the complete dataset on-line. It incorporates the private data of some 73 million AT&T clients.
A brand new evaluation of the totally leaked dataset — containing names, house addresses, telephone numbers, Social Safety numbers, and dates of delivery — factors to the information being genuine. Some AT&T clients have confirmed their leaked buyer information is correct. However AT&T nonetheless hasn’t mentioned how its clients’ information spilled on-line.
The hacker, who first claimed in August 2021 to have stolen tens of millions of AT&T clients’ information, solely revealed a small pattern of the leaked information on the time, making it tough to confirm its authenticity.
AT&T, the most important telephone service in the US, mentioned again in 2021 that the leaked information “doesn’t seem to have come from our programs,” but it surely selected to not speculate as to the place the information had originated or whether or not it was legitimate.
Troy Hunt, a safety researcher and proprietor of information breach notification web site Have I Been Pwned, just lately obtained a duplicate of the complete leaked dataset. Hunt concluded the leaked information was actual by asking AT&T clients if their leaked information had been correct.
In a weblog submit analyzing the information, Hunt mentioned that of the 73 million leaked information, the information contained 49 million distinctive e mail addresses, 44 million Social Safety numbers, in addition to buyer dates of delivery.
When reached for remark, AT&T spokesperson Stephen Stokes advised TechCrunch in a press release: “We’ve no indications of a compromise of our programs. We decided in 2021 that the knowledge supplied on this on-line discussion board didn’t seem to have come from our programs. This seems to be the identical dataset that has been recycled a number of occasions on this discussion board.”
The AT&T spokesperson didn’t reply to observe up emails by TechCrunch asking if the alleged buyer information was legitimate or the place its clients’ information got here from.
As Hunt notes, the supply of the breach stays inconclusive. And it’s not clear if AT&T even is aware of the place the information got here from. Hunt mentioned it’s believable that the information originated both from AT&T or “a third-party processor they use or from one other entity altogether that’s solely unrelated.”
What is obvious is that even three years later, we’re nonetheless no nearer to fixing this thriller breach, nor can AT&T say how its clients’ information ended up on-line.
Investigating information breaches and leaks takes time. However by now AT&T ought to have the ability to present a greater clarification as to why tens of millions of its clients’ information is on-line for all to see.
TechCrunch’s Lorenzo Franceschi-Bicchierai contributed reporting.