(Bloomberg) — AT&T Inc. said personal data of about 73 million current and former customers was leaked on the dark web, prompting the reset of 7.6 million account passwords.
Most Read from Bloomberg
The data, which includes 65.4 million former customers, leaked onto the dark web two weeks ago. The disclosed information included customers' full name, email and mailing address, phone number, Social Security number, date of birth, AT&T account number and passcode, the company said in an email to consumers. It apparently does not contain personal financial information or call history.
The data appears to be from 2019 or earlier, AT&T said in a statement Saturday. According to AT&T, the source of the data is still being investigated and it is not known whether it came from the company or from a vendor.
Shares were little changed at $17.50 after falling nearly 3% Monday morning.
Also Read: AT&T Outages Spurred by Company Work on Network Expansion
AT&T said there was no evidence of unauthorized access to its systems and that the leak did not have a significant impact on its operations on Saturday.
“The company proactively communicates with victims and will provide credit monitoring at our expense where applicable,” the statement said.
AT&T Sued Over Data Breach A class action lawsuit was filed March 30 in the U.S. District Court for the Northern District of Texas, alleging the company negligently maintained customers' personally identifiable information and failed to take steps to protect its system.
The latest data leak comes three years after a hacker known as ShinyHunters allegedly stole the personal information of about 70 million AT&T customers, according to reports by BleepingComputer at the time. AT&T denied it was affected by the data breach, saying the stolen information did not come from its own systems.
The hacker released only a small sample of records in 2021, which sold for a starting price of $30,000, according to media reports at the time. ShinyHunters has previously taken credit for breaches against other US companies, only to post databases of stolen data after failing to pay other dark web users.
TechCrunch previously reported on the latest leak after a data vendor posted 73 million AT&T records to a cybercrime forum. TechCrunch said it notified AT&T of the leak last week and is publishing its article until the company begins resetting the passwords.
According to data compiled by Bloomberg, Verizon Communications Inc. and AT&T is the third-largest U.S. retail wireless carrier behind T-Mobile US Inc. The company suffered a widespread outage in February that took hours to resolve, prompting a federal government investigation.
T-Mobile has agreed to pay $350 million to settle a class-action lawsuit in 2022 after the records of more than 50 million customers were leaked. The following year, it disclosed another major breach of customer information of about 37 million subscribers.
(Updates with leaked data in the second column and information related to the case in the sixth column.)
Most read from Bloomberg Businessweek
©2024 Bloomberg LP