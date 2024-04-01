The data on millions of AT&T users was stolen during a 2019 data breach, but was dumped online just last week.

In late February, a massive network outage shot AT&T into the headlines for the wrong reasons: The company’s terse statement on the matter asserted it wasn’t a victim of a hack, but instead a coding error. Now the telecoms giant is in the news again, reacting to an actual cybersecurity problem that’s causing it to reset customer account passcodes on a massive scale–affecting some 7.6 million current AT&T users. Weirdly, the leaked data forcing AT&T’s hand actually dates back to a giant data leak that happened in 2019. It’s a reminder that a data hack on a business can have effects that resonate for many years.

Website TechCrunch learned about the data leak, which saw information on some 73 million AT&T customer records posted on a “known cybercrime forum” in recent weeks. The leak includes encrypted account passcodes, which are typically four number codes used to provide additional security for account holders–such as when calling customer service. Apparently, these codes are in an easily decryptable format inside the leaked data bundle: A cybersecurity expert TechCrunch consulted explained that the codes were encrypted with “insufficient randomness.”

In response, AT&T is doing a mass reset of customer passcodes. The leak affects about eight million people with fresh accounts, and some “65.4 million former account holders.” Back in 2021, a hacker apparently leaked a tiny sample of what they claimed were stolen AT&T customer records, and from the sample it wasn’t clear if the hacker’s boast of the scale of the breach was true. The new leak leaves no doubt, and TechCrunch notes that for the first time AT&T has had to admit that the data does indeed concern its customers.

In a statement, AT&T said it has now “launched a robust investigation supported by internal and external cybersecurity experts,” and made a point of noting that it “does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set.”

Though only about eight million current AT&T customers are affected directly, the fact that nearly 66 million former accounts are in the data set is still concerning. As well as the passcodes that AT&T is resetting, the leaked data includes customer names, addresses, phone numbers, and more personal information like dates of birth and SSNs. That kind of personal information is useful to hackers, of course–and unlike credit card numbers and banking details, which will expire and change over time rendering past hack attacks less of a direct threat, these details don’t expire. Clever hackers can even combine personal information like this with data gleaned from other leaks at different companies. They can then try social engineering or other methods to target victims and attempt to steal money by compromising their banking information.

AT&T said all affected customers will be contacted by the company regarding the leaked passcodes, no matter if they’re current or former customers.