Phone giant AT&T has taken action to reset millions of customer account passcodes following the discovery of a massive data dump containing AT&T customer records earlier this month, TechCrunch has exclusively learned.
The U.S. telecommunications giant initiated the mass reset of passcodes after TechCrunch notified AT&T on Monday that the leaked data included encrypted passcodes that could potentially be exploited to access AT&T customer accounts.
In a statement provided on Saturday, AT&T stated: “AT&T has launched a thorough investigation with the assistance of internal and external cybersecurity experts. Based on our initial analysis, the data set appears to originate from 2019 or earlier, affecting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.”
“The evidence available to AT&T does not indicate any unauthorized access to its systems resulting in the extraction of the data set,” the statement added.
AT&T customer account passcodes typically consist of four-digit numbers and serve as an extra layer of security for accessing customer accounts, whether through customer service calls, retail outlets, or online platforms.
This marks the first time AT&T has acknowledged that the leaked data pertains to its customers, approximately three years after a hacker claimed to have stolen 73 million AT&T customer records. AT&T previously denied any breach of its systems, although the source of the leak remains undetermined.
AT&T stated on Saturday that “it is yet to be determined whether the data in those fields originated from AT&T or one of its vendors.”
In 2021, the hacker who claimed responsibility for the AT&T breach released only a small sample of records, making it challenging to verify the data’s authenticity. However, earlier in March, a data vendor posted the complete alleged 73 million AT&T records on a known cybercrime forum, allowing for a more thorough examination of the leaked data. Since then, AT&T customers have confirmed the accuracy of their leaked account data.
The leaked data includes AT&T customer names, addresses, phone numbers, dates of birth, and Social Security numbers.
Security researcher Sam “Chick3nman” Croley informed TechCrunch that each record in the leaked data set also contains the encrypted format of the AT&T customer’s account passcode. Croley validated his findings by cross-referencing records in the leaked data with AT&T account passcodes known only to him.
Croley compiled all the encrypted passcodes from the 73 million data set and eliminated duplicates, resulting in about 10,000 unique encrypted values, each corresponding to a four-digit passcode permutation ranging from 0000 to 9999, with some outliers for customers with passcodes longer than four digits.
It is common for individuals to set passcodes — particularly if limited to four digits — that are meaningful to them, such as the last four digits of a Social Security number, phone number, birth year, or house number. All of this surrounding data is present in nearly every record in the leaked data set.
By correlating encrypted account passcodes with surrounding account data — including customer birthdates, house numbers, and partial Social Security numbers and phone numbers — Croley managed to identify which encrypted values corresponded to which plaintext passcode.
AT&T has committed to reaching out to all 7.6 million existing customers whose passcodes were reset, as well as current and former customers affected by the compromise of their personal information.
