AT&T resets passcodes for 7.6M customers after dark web data leak

72+ million current and former AT&T customers face potential identity theft and unauthorized account access due to exposed personal identifiable information including Social Security numbers.
72 million people now face potential identity theft from a breach AT&T didn't discover itself
AT&T learned about the dark web leak from TechCrunch, not from its own security systems, raising questions about detection and oversight.

In the quiet accumulation of digital trust, AT&T now confronts a reckoning years in the making: the personal records of over 72 million current and former customers — names, Social Security numbers, passcodes — have surfaced on the dark web, traced to data that appears to predate 2021. The company, which once dismissed an earlier warning as unfounded, has begun resetting passcodes for 7.6 million active subscribers after a journalist's inquiry forced the issue into the open. What lingers is not only the exposure itself, but the uncomfortable gap between when this data was likely taken and when the world was told — a reminder that in matters of digital security, silence is rarely the same as safety.

  • Over 72 million AT&T customers — current and former — now face the real possibility that their Social Security numbers, addresses, and account credentials are circulating in criminal markets.
  • AT&T was not the one who found the breach: a journalist at TechCrunch alerted the company last Monday, and publication was deliberately delayed to allow passcode resets to begin before the story went live.
  • A security researcher warned that the encrypted passcodes found on the dark web could be decrypted without significant technical difficulty, meaning the window for harm was already open.
  • AT&T has yet to determine whether the breach originated from its own infrastructure or a third-party vendor — an unresolved question that leaves the true perimeter of the vulnerability unknown.
  • The incident echoes a 2021 warning AT&T dismissed: a hacker claimed to be selling 70 million subscriber records, the company denied it, and years later customers were able to verify the leaked data was real.
  • Cybersecurity experts are urging affected individuals to change passwords, enable multi-factor authentication, place fraud alerts with all three major credit bureaus, and enroll in dark web monitoring — because the data, once out, cannot be recalled.

AT&T reset account passcodes for 7.6 million current customers after a large cache of customer data appeared on the dark web. The breach also affects 65.4 million former account holders, bringing the total to more than 72 million people. The exposed data includes names, Social Security numbers, email and mailing addresses, phone numbers, dates of birth, and AT&T account credentials — though the company says financial information and call history were not part of the leak.

AT&T learned of the situation last Monday when TechCrunch reached out to report that encrypted passcodes discoverable on the dark web could be used to access subscriber accounts. A security researcher noted that decrypting those passcodes would not be technically difficult. TechCrunch held its story to give AT&T time to begin resetting credentials before publication.

The origin of the breach remains unresolved. AT&T says it has found no evidence of unauthorized access to its own systems and is working with outside cybersecurity experts to determine whether the source was internal infrastructure or a vendor. The uncertainty is significant — if a third party is responsible, the vulnerability may reach beyond AT&T's direct control.

The timeline raises harder questions. In 2021, a hacker claimed to be selling a dataset of 70 million AT&T subscriber records. AT&T denied the data came from its systems. Last month, what appeared to be the full dataset was published on a dark web forum, and customers were able to confirm the leaked information was genuine — years after the initial claim was dismissed.

Experts describe the combination of exposed data as particularly dangerous, enabling identity theft, phishing, and unauthorized account access. Affected customers are advised to change their AT&T passcodes, enable multi-factor authentication, monitor credit reports, and consider dark web monitoring services. Fraud alerts can be placed for free with Equifax, Experian, and TransUnion. Security professionals also note that large enterprises are no less vulnerable than small ones — and that breaches of this scale often go undetected for more than 200 days.

AT&T moved to reset account passcodes for 7.6 million of its current customers on Saturday after discovering that a trove of customer data had surfaced on the dark web. The leaked information appears to originate from 2019 or earlier, but its reach extends far beyond current subscribers—the breach also exposed records belonging to 65.4 million former AT&T account holders, bringing the total number of affected people to over 72 million.

The scope of what was exposed varies from account to account, but the inventory is sobering. Names, email addresses, mailing addresses, phone numbers, Social Security numbers, dates of birth, AT&T account numbers, and passcodes all appear in the compromised dataset. The company stated that the leak does not include financial information or call history, a narrow consolation given what was taken. AT&T notified affected customers through email or letter and urged them to monitor their account activity and credit reports closely.

The company learned of the breach last Monday when TechCrunch contacted AT&T to report that encrypted passcodes discoverable on the dark web could be used to access subscriber accounts. A security researcher indicated that decrypting these passcodes would not present a significant technical challenge. TechCrunch delayed publishing its findings to give AT&T time to begin resetting passcodes before the story went public.

What remains unclear is the origin of the breach itself. AT&T said it has found no evidence of unauthorized access to its own systems that would explain the data theft. The company is working with outside cybersecurity experts to determine whether the leak came from AT&T's infrastructure or from one of its vendors. This uncertainty matters: if a third party was responsible, it suggests the vulnerability may extend beyond AT&T's direct control.

The timing raises uncomfortable questions about AT&T's awareness. In 2021, a hacker claimed to be selling a dataset containing personal information on 70 million subscribers. AT&T dismissed the claim at the time, saying the data did not appear to originate from its systems. Last month, someone published what appeared to be the full set of records on a dark web forum. A closer examination of the data allowed AT&T customers to verify that the leaked information was genuine—a confirmation that came years after the initial 2021 claim.

Cybersecurity experts emphasize the severity of what was exposed. Anne Cutler, a cybersecurity evangelist at Keeper Security, noted that the combination of full names, Social Security numbers, email addresses, and passcodes creates a particularly dangerous scenario. The exposed data could enable identity theft, phishing attacks, and unauthorized account access. She recommends that affected customers change their AT&T passcodes immediately, enable multi-factor authentication wherever possible, monitor their credit reports, and consider enrolling in dark web monitoring services.

AT&T customers can reset their passcodes by logging into their myAT&T profile, navigating to the "My linked accounts" section, selecting Edit for the passcode they wish to change, and following the prompts. The company also advised customers to set up free fraud alerts with the three major credit bureaus—Equifax, Experian, and TransUnion—and to review their credit reports through Freecreditreport.com.

Tyler Young, CISO at BigID, offered perspective on the detection challenge. Industry data suggests it takes an average of more than 200 days for companies to discover a security breach. Young emphasized that organizations should maintain a clear inventory of what sensitive data they hold, particularly information like Social Security numbers and addresses. The assumption that only small companies without adequate resources fall victim to breaches, he noted, is a dangerous misconception. Large enterprises face the same vulnerabilities, and the scale of this incident—affecting more than 72 million people—underscores that reality.

The severity of this data breach is significantly heightened because of the Personal Identifiable Information, including full names, email addresses, mailing addresses, phone numbers, Social Security numbers, dates of birth, AT&T account numbers, and passcodes, that were part of the compromised data.
— Anne Cutler, cybersecurity evangelist at Keeper Security
Companies should know what data they have and be aware of what sensitive information they have on file in case a breach like this occurs. It is a common misconception that only small companies without proper resources are vulnerable to attacks.
— Tyler Young, CISO at BigID
The Hearth Conversation Another angle on the story
Inventor

Why did it take so long for AT&T to discover this breach if the data was from 2019 or earlier?

Model

The company didn't discover it themselves—TechCrunch found it on the dark web and told them. That's a crucial distinction. AT&T had no visibility into the fact that this data was circulating until a journalist brought it to their attention.

Inventor

So AT&T might still not know about it if TechCrunch hadn't been paying attention?

Model

Exactly. And there's a wrinkle: a hacker claimed back in 2021 that they were selling a dataset of 70 million AT&T subscribers. AT&T said it wasn't theirs. Then last month, someone published the full records publicly. Only then could customers verify the data was real. AT&T had years to notice.

Inventor

What's the actual risk for someone whose Social Security number is in this leak?

Model

Identity theft becomes much easier. Someone has your name, address, phone number, and SSN all in one place. They can open accounts, apply for credit, file tax returns in your name. The passcodes make it worse because they could access your AT&T account directly and change the recovery information.

Inventor

Did AT&T know this was coming from their own systems or a vendor?

Model

They don't know yet. That's still under investigation. It matters because if it's a vendor, the vulnerability might affect other companies too. And it raises questions about how AT&T monitors what third parties do with customer data.

Inventor

What should someone actually do right now if they're affected?

Model

Change your AT&T passcode immediately. Set up fraud alerts with the credit bureaus. Monitor your credit report. Consider a dark web monitoring service. Enable multi-factor authentication on every account you can. The experts are clear: this isn't a one-time fix.

Inventor

Is this unusual for a company AT&T's size?

Model

No. That's the unsettling part. The average company takes over 200 days just to detect a breach. Large enterprises aren't immune—they're targets. AT&T has the resources to prevent this, but prevention and detection are different problems.

Contact Us FAQ