Customer data tied to Central Tickets and AT&T surfaced on hacking forums, exposing large volumes of personally identifiable information and raising questions about how long the records had circulated before becoming public. Central Tickets data posted in September 2024 affected 723,000 unique email addresses and included names, phone numbers, IP addresses, purchase records, and passwords; the breach likely occurred months earlier. The password data was reportedly stored as unsalted SHA-1 hashes, pointing to weak credential protection.
A separate leaked dataset allegedly linked to AT&T contained tens of millions of records and was publicly posted after first being offered for sale in 2021. The exposed information included names, email and physical addresses, dates of birth, phone numbers, and U.S. Social Security numbers. AT&T initially said its systems had not been breached, then later acknowledged the dataset contained AT&T-specific fields and said it remained unclear whether the compromise originated inside AT&T or through a vendor; the company subsequently reset customer account passcodes.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
In September 2024, data from ticketing service Central Tickets was publicly posted to a hacking forum. The leak exposed 723,000 unique email addresses along with names, phone numbers, IP addresses, purchase records, and passwords stored as unsalted SHA-1 hashes.
The Central Tickets dataset publicly posted later in 2024 appears to have originated from a breach that likely happened several months earlier. The exposed data ultimately affected 723,000 unique email addresses and included names, phone numbers, IP addresses, purchase records, and unsalted SHA-1 password hashes.
Following its review of the leaked dataset, AT&T reset customer account passcodes. The move indicated concern that passcodes may have been exposed in the incident.
Twelve days after its initial denial, AT&T said the leaked dataset included AT&T-specific fields. The company stated it was still unclear whether the compromise occurred within AT&T or through a vendor.
After the March 2024 leak, AT&T said its own systems had not been compromised and suggested the exposed data came from another source. This was the company's initial public response to the incident.
In March 2024, tens of millions of records allegedly linked to AT&T were posted on a popular hacking forum after previously being sold. The leaked data included names, email addresses, physical addresses, dates of birth, phone numbers, and U.S. Social Security numbers.
A dataset later alleged to belong to AT&T was first offered for sale in August 2021. The records reportedly included sensitive customer information and predated the later public leak by several years.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.