Personal information of millions of AT&T customers leaked online 

The company is informing 51 million people that their data was shared publicly in March.
visitor walks past US multinational telecommunications AT&T logo during the Mobile World Congress (MWC), the telecom industry's biggest annual gathering, in Barcelona on February 26, 2024. (Photo by PAU BARRENA/AFP via Getty Images)

AT&T on Wednesday began the process of notifying more than 51 million people that their personal information, including social security numbers, were part of a massive dataset shared publicly last month, according to a filing with the Office of the Maine Attorney General.

AT&T became aware March 26 that a large tranche of customer data had been released on the dark web on March 17, the company said in a template letter attached to the filing in Maine. The data — dating back to June 2019 or earlier — varied by the individual and account, the company said, but could have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode.

The company said it reset users’ four-digit passcodes, which are used as an additional layer of security to access a customer’s account. The passcodes were stored in an encrypted format, but the encryption was easily deciphered, according to a security researcher who shared the information with TechCrunch for a story published on March 30.

The data includes information on roughly 7.6 million current customers and 65.4 million former account holders, the company said in a statement posted to its website and updated Tuesday. AT&T reported in the Maine filing that 51,226,382 people were affected.


The company did not immediately respond to a question about the discrepancy between those figures.

A dataset purporting to contain more than 70 million rows of AT&T customer data was offered for sale in 2021, Bleeping Computer reported at the time. Only a small sample of that data was released, and AT&T denied that it was company data. The full set was what was apparently dumped online in mid-March, according to TechCrunch.

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts