Telephone giant AT&T has reset millions of customer account passcodes after a massive data cache containing AT&T customer records went online earlier this month, TechCrunch has exclusively learned.
The US telecom giant launched the mass passcode reset after TechCrunch informed AT&T on Monday that the leaked data contained encrypted passcodes that could be used to access AT&T customer accounts.
A security researcher who analyzed the leaked data told TechCrunch that encrypted account passcodes are easy to crack. TechCrunch alerted AT&T to the security researcher’s findings.
In a statement released Saturday, AT&T said: “AT&T has launched a thorough investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the dataset appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.
“AT&T has no evidence of unauthorized access to its systems resulting in exfiltration of the data set,” the statement said.
TechCrunch has suspended publication of this story until AT&T can begin resetting customer account passcodes. AT&T also publishes an article on what customers can do to secure their accounts.
This is the first time AT&T has acknowledged that the leaked data belongs to its customers, about three years after a hacker claimed responsibility for stealing 73 million AT&T customer records. AT&T had denied any breach of its systems, but the source of the leak remained inconclusive.
AT&T said Saturday that “it is not yet clear whether the data in these fields came from AT&T or one of its vendors.”
As of 2021, the hacker who claimed responsibility for the AT&T breach has only released a small sample of records, making it difficult to verify the authenticity of the data. Earlier in March, a data vendor posted all of AT&T’s alleged 73 million records online on a popular cybercrime forum, allowing for more detailed analysis of the leaked records. AT&T customers have since confirmed that their leaked account data was accurate.
The leaked data includes AT&T customers’ names, home addresses, phone numbers, dates of birth and Social Security numbers.
The security researcher told TechCrunch that each record of the leaked data also contains the AT&T customer account passcode in an encrypted format. The researcher demonstrated to TechCrunch in a video call how they decrypted the data into clear text account passcodes.
The researcher double-checked his findings by searching for records in the leaked data against AT&T account passcodes known only to them.
This is breaking news. More soon…
techcrunch
