Phone giant AT&T has reset millions of consumer account passcodes after mega cache of data consisting AT&T consumer records was leaked online earlier this month.
The U.S. telco giant started passcode mass reset after TechCrunch informed AT&T on Monday that the leaked data contained encrypted passcodes that could be used to get AT&T customer accounts.
AT&T released statement ” AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on preliminary analysis, the data set appears to be from 2019 or earlier, impacting almost 7.6 million current AT&T account holders and approximately 65.4 million former account holders”
“AT&T does not have evidence of unauthorize access to its systems resulting in exfiltration of data set ”
TechCruch held the publication of this story until AT&T could start resetting consumer account passcodes. At&T has post on what customers can do to keep their accounts secure.
AT&T consumer account passcodes are typically 4 digit numbers that are used as extra layer of security when reaching a customer account such as calling AT&T customer service in retail stores and online
In 2021 the hacker claiming the AT&T brach posted only small sample of records making it harder to check if data was authentic. Earlier in March data seller published the full 73 million alleged AT&T records online on a famous cybercrime forum permitting for detailed analysis of leaked records.
AT&T consumers have confirmed that their leaked account data is accurate.
The leaked data consist of AT&T customer names, phone numbers, dates of birth and Social Security numbers.
Croley explain it was not necessary to crack the encryption cypher to unscramble the passcode data.
AT&T said it will contact all of the 7.6 million existing consumers who passcodes it reset as well as current and former consumers whose personal information was compromised.
Croley took all encrypted passcodes from 73 million data set and removed every duplicate. That result to 10,000 unique encrypted values which correlated to 4 digit passcode permutation ranging from 000 to 9999 with few outliers for small number of AT&T consumers with account passcodes longer than 4 digits.
By correlating encrypting account passcodes to surrounding account data like consumer dates of birth house numbers partial Social Secuirty number and phone numbers.
Croley as able to reverse engineer which encrypted values matched which plaintext passcode.
According to Croley the less randomness of encrypted data means its possible to guess the consumer 4 digit account passcode based on surrounding information in leaked data set.
It is not uncommon for people to set passcodes if limited to 4 digits that mean something to them. That is last 4 digit of Social Security number or person phone number the year of someone birth or even four digit of house number.
All this surrounding data is found in every record in leaked data set.