The 2021 AT&T data breach now affects a new set of data

A known threat actor has reemerged with data from a 2021 AT&T breach affecting 70 million customers.

Reports revealed that the affected data are now modified to link Social Security numbers (SSNs) directly and dates of birth (DOBs) to individual accounts.

This re-release consolidates previously separate files into a more extensive and potentially harmful leak.

AT&T has informed a news outlet that it is looking into the situation but believes this data stems from an already-known breach, merely repackaged.

The telecommunications company remarked that cybercriminals frequently employ the tactic of repackaging previously disclosed data for financial gain.

Additionally, the firm acknowledged that it recently became aware of reports claiming its data was up for sale on dark web forums and confirmed a comprehensive investigation is underway.

 

The first reemergence of this AT&T data from the breach appeared last year.

 

According to investigations, a threat actor took the alleged data during the 2024 AT&T Snowflake breach, which compromised the call logs of 109 million customers.

In a forum post, the threat actor claimed they had backed up one of the databases from the Snowflake breach, asserting that fake or placeholder entries, possibly federal agents, were eliminated and that the SSNs and DOBs had been decrypted.

However, the cybersecurity outlet’s analysis indicated that this data actually came from the 2021 AT&T breach, which involved the threat group ShinyHunters. At that time, the group attempted to sell the dataset for $200,000.

In March 2024, another threat actor released the entire AT&T dataset for free on a cybercrime forum, claiming it originated from ShinyHunters’ original breach.

The leaked information featured customer names, addresses, mobile numbers, encrypted dates of birth, encrypted Social Security numbers, and various internal records.

Significantly, the leak also included files mapping the encrypted SSNs and DOBs to their corresponding unencrypted plaintext values.

While AT&T initially refuted ownership of the data, the company later confirmed it had indeed been taken from its systems and impacted around 73 million customers.

The further examination of the current leak verified that it is the same dataset that surfaced in 2024, albeit cleaned and reorganized. The updated version removed internal AT&T data and added unencrypted SSNs and DOBs to each customer record for easier correlation.

The leak consists of 88,320,017 lines of data. After removing duplicates, this number shrinks to 86,017,088 unique records. Further scrutiny revealed 48,896,044 unique phone numbers linked to customer profiles.

The record count decreased due to customers appearing multiple times with the same phone number registered at different addresses.

In conclusion, this incident does not involve newly breached AT&T data or compromised material from the Snowflake attack. Instead, it presents a more refined and potentially more exploitable iteration of the original 2021 data breach.