AT&T admits data breach, says 51 million customers are affected

 A black AT&T sign with its logo in bright blue hanging outside a brick store .
A black AT&T sign with its logo in bright blue hanging outside a brick store .

New information regarding the 2021 AT&T breach is emerging, with the company reducing the number of affected individuals by almost a third, from the initial 70 million, down to 51 million.

AT&T also said it has started notifying victims of the breach, and offered identity theft monitoring and protection services.

For the uninitiated, back in 2021, privacy blog RestorePrivacy reported that a threat actor was selling a huge database of current and former AT&T customers on a dark web forum. AT&T denied that it was its database, and claimed that its systems were not breached.

Financial information not included

Fast forward to 2024, and a different threat actor leaked the entire database, prompting the same response from the telco giant. However, after multiple media publications independently verified the authenticity and source of the data, AT&T came clean. However, it still didn’t say how the hackers obtained the database.

In any case, the company revised the number of affected individuals, pinning it down to 51,226,382. Apparently, many of the people on the list had duplicate entries.

"The [exposed] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode," the company said in the breach notification. "To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier."

When asked about the difference in the number of impacted customers, AT&T told BleepingComputer the database appeared to hold many duplicates:

"We are sending a communication to each person whose sensitive personal information was included.  Some people had more than one account in the dataset, and others did not have sensitive personal information.”

More from TechRadar Pro