AT&T, the largest telco in the United States, recently announced that the breached data included a variety of sensitive customer information, such as full names, email addresses, mailing addresses, dates of birth, phone numbers, and Social Security numbers. This leaked data was found to date back to mid-2019 and earlier, and affected more than 7.9 million current AT&T customers. AT&T revealed that the breached records contained duplicates and also included encrypted account passcodes, which would potentially allow unauthorized access to customer accounts.

The company took action to reset these account passcodes after being alerted by TechCrunch about the security risk posed to customers. Notably, AT&T acknowledged that the leaked data also pertained to around 65 million former customers. Under relevant state data breach notification laws, companies are obliged to disclose such incidents to U.S. attorneys general when they affect large numbers of individuals.

In response, AT&T has filed notices in Maine and California and has committed to offering identity theft and credit monitoring services to the affected customers. However, despite these measures, AT&T has yet to identify the source of the leak. It is worth noting that AT&T took three years to take action after a subset of the leaked data initially surfaced online, thereby preventing any meaningful analysis of the data.

TechCrunch cooperated with AT&T to hold the story until the company completed the process of resetting the affected customer passcodes. This incident serves as a reminder of the importance for companies to promptly address and disclose data breaches that compromise the security of their customers.