Telecommunications giant AT&T announced Saturday that it had reset the passcodes of 7.6 million customers after determining that compromised customer data had been “released onto the dark web.”
“Our internal teams are working with external cybersecurity experts to analyze the situation,” AT&T said. “As far as we know, the compromised data appears to be from 2019 or earlier and contains no personal financial information or call history.”
The company said that “information varied by customer and account,” but that it could include a person's full name, email address, postal address, phone number, Social Security, date of birth, AT&T account number, and passcode.
In addition to these 7.6 million customers, 65.4 million former account holders were also affected.
The company said it will “separately contact people with compromised sensitive personal information and offer free identity theft and credit monitoring services.”
AT&T said it had reset passcodes for those affected and directed customers to a site with details on how to reset them. It also said it was launching a “robust investigation supported by internal and external cybersecurity experts.”
A company representative did not respond to specific questions about how the breach occurred or why it went unnoticed for so long.
TechCrunch, which first reported the passcode recovery, said it informed AT&T on Monday that “the leaked data contained encrypted passcodes that could be used to access AT&T customer accounts.”
TechCrunch said it delayed publishing its article until the company “could begin resetting customer account passcodes.”
In its report, TechCrunch states that “this is the first time AT&T has acknowledged that the leaked data belongs to its customers, nearly three years after a hacker claimed the theft of 73 million AT&T customer records.”
AT&T had previously denied a breach of its systems, but it was unclear how the leak occurred, TechCrunch reported.
AT&T said it did not know whether the leaked data “came from AT&T or one of its vendors” and that it has “no evidence of unauthorized access to its systems resulting in the theft of the data set.”
The episode comes after AT&T customers suffered a widespread outage last month that temporarily knocked out connections for users in the United States for several hours. The Feb. 22 outage affected customers in cities including Atlanta, Los Angeles and New York.
At its peak, there were about 70,000 outage reports for the wireless carrier, according to Downdetector.com, which tracks user reports of telecommunications and internet outages.
A few days later, AT&T offered customers affected by the outage a $5 credit in an effort to “make things right.”