Share this article on:
The personal details of more than 70 million people are circulating online as part of an alleged AT&T data breach – but some are questioning AT&T’s denial.
A database of more than 73 million alleged AT&T customers has been posted to a clear web hacking forum multiple times in the last few days, but AT&T is continuing to deny it is the source of the mammoth trove of personal data.
The data, according to forum user MajorNelson – the same person who shared the details of a Sony leak last year – comes from a 2021 AT&T hack by ShinyHunters. At that time, the 73,481,539 line database was being auctioned off to the highest bidder, with the option of being purchased outright for US$1 million.
AT&T denied the database was linked to them at the time, too.
“Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems,” AT&T said in August 2021.
But speaking to Bleeping Computer, ShinyHunters insisted the data was legitimate.
“I don’t care if they don’t admit. I’m just selling,” ShinyHunters told BleepingComputer.
Now, however, the entire dataset is available for just eight site credits. Credits can be bought for as little as 500 for 120 euro, making this data far, far cheaper than it was when first circulated.
There’s also a second version of the data in circulation on the same forum, with more details added, including dates of birth and social security numbers. It, too, is being sold for eight site credits.
However, now that the data is more widely available, it can now be analysed, which is actually what Troy Hunt of HaveIBeenPwned, has done – and he is not so sure that AT&T’s denial adds up.
“The old adage of ‘absence of evidence is not evidence of absence’ comes to mind (just because they can’t find evidence of it doesn’t mean it didn’t happen), but as I said earlier on, I (and others) have so far been unable to prove otherwise,” Hunt said on his own blog. “So, let’s focus on what we can prove, starting with the accuracy of the data.”
Hunt took advantage of the fact that he has 4.8 million subscribers on HaveIBeenPwned, 153,000 of which are in the alleged AT&T dataset. So he simply reached out to a handful of his subscribers to ask if they were in fact AT&T customers.
“That is my info,” said the first person to respond. “I am an AT&T customer.”
“This individual had their name, phone number, home address and most importantly, their social security number exposed,” Hunt said. “Per the linked [Bleeping Computer] story, social security numbers and dates of birth exist on most rows of the data in encrypted format, but two supplemental files expose these in plain text. Taken at face value, it looks like whoever snagged this data also obtained the private encryption key and simply decrypted the vast bulk (but not all of) the protected values.”
Other HaveIBeenPwned subscribers whose data was included in the data also confirmed the data was accurate, and that they were in fact AT&T customers.
Despite AT&T’s denials, Hunt will continue to examine the data.
“The truth is somewhere there in the data; I’ll add any relevant updates to this blog post if and when it comes out.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.