A database advertised as containing data on roughly 70 million AT&T customers resurfaced online, reviving claims first made when a threat actor offered the records for sale in 2021. Reports said the exposed information included names, dates of birth, phone numbers, physical addresses, email addresses, and in many cases Social Security numbers, creating significant identity-theft and fraud risk for affected individuals.
AT&T said the leaked dataset did not come from its systems and reiterated that its internal investigation found no evidence of a direct compromise tied to the material being circulated. Independent analysis of the files, including review by breach researcher Troy Hunt, indicated the data appeared authentic for many individuals and likely originated from an older source, leaving the central dispute unresolved: the records look real, but AT&T maintains they were not exfiltrated from the company’s environment.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
AT&T said a leaked dataset affecting about 73 million current and former customers is legitimate, though it stated it has no evidence the data was exfiltrated directly from its own systems and said the source could be AT&T or a vendor. The company disclosed that 7.6 million current account holders and 65.4 million former customers were affected, reset passcodes for current customers, and offered credit monitoring and identity theft services where applicable.
By March 2024, independent analysis of the circulating data found strong indicators that the records were authentic and linked to AT&T customers, with many entries appearing current despite the company's earlier denial. The review suggested the dataset was not fabricated and likely reflected real customer information.
As the old dataset resurfaced widely in 2024, AT&T reiterated that the exposed information did not come from its systems and said the material appeared to be from 2019 or earlier. The company maintained that its internal investigation still showed no evidence of a direct breach of AT&T systems.
On 2022-08-12, reporting described a 3.6 GB dark web database containing Social Security numbers and related data for 23 million people that researchers said showed indicators of ties to AT&T. AT&T denied the data came from its systems and said forensic analysis suggested it may instead be connected to an earlier breach at another company, possibly a credit agency.
After the database sale claim surfaced, AT&T said it had investigated and found no evidence of unauthorized access to its systems, stating the leaked data did not originate from AT&T. This denial was reported across multiple outlets in August 2021.
In August 2021, the ShinyHunters hacking group advertised a database it claimed contained records for about 70 million AT&T customers, including personal information such as names, phone numbers, and Social Security numbers. The sale listing brought public attention to the alleged breach.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
therecord.media
Open sourcetroyhunt.com
Open sourcebleepingcomputer.com
Open sourcetherecord.media
Open sourcegizmodo.com
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.