Do you remember AT&T’s old motto, “Reach out and touch someone?” Well, according to BleepingComputer the company on Saturday confirmed that cyberattackers reached out and touched the data of 73 million someones.
The data, according to a statement from the company hails from 2019, comes from approximately 7.6 million current customers and approximately 65.4 million former account holders. The data includes social security numbers and was found on the dark web two weeks ago. AT&T further states it has no evidence the data resulted from unauthorized access to its systems and has not had a material impact on operations.
In another statement, AT&T confirmed that a number of passcodes for the 7.6 million users had been comprised and have since been reset. The data according to the company does not include personal financial information or call history.
Also according to BleepingComputer the data hails from an alleged 2021 data breach perpetrated by the bad actor ShinyHunters, that began selling the data in August of that year. Another bad actor known as MajorNelson on March 17 leaked sample data allegedly from the same 2021 breach, and the sample data included names, addresses, mobile phone numbers, encrypted dates of birth and other information.
Why Fess Up Now?
Since the breach was first reported three years ago, AT&T has been cagey about admitting the data was theirs or acknowledging from whence the data came, other than to repeat ad nausem that the data did not originate from a breach of any of their systems.
The logical conclusion if this statement is accurate is the data was stolen from a third party vendor. AT&T’s statement on Saturday all but says as much.
“AT&T* has determined that AT&T data-specific fields were contained in a data set released on the dark web approximately two weeks ago. While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors,” reads the statement.
But why did AT&T wait so long to say anything whatsoever about where the data might have come from?
“On Saturday, AT&T still speculated that the data may have come from one of its vendors, and I can only surmise AT&T finally is acknowledging the breach due to potential issues the company may face with the SEC regulations surrounding materiality. That is the most logical conclusion at this point. It's unfortunate there aren't more incentives for organizations to take a proactive response to cybersecurity incident response,” says Tom Marsland, VP of technology at Cloud Range.