AT&T reset accounts passcodes after 73 millions of customers records leak online on Dark Web

Phone giant AT&T has reset millions of consumer account passcodes after mega cache of data consisting AT&T consumer records was leaked online earlier this month. 

The U.S. telco giant started passcode mass reset after TechCrunch informed AT&T on Monday that the leaked data contained encrypted passcodes that could be used to get AT&T customer accounts.

AT&T released statement ” AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on preliminary analysis, the data set appears to be from 2019 or earlier, impacting almost 7.6 million current AT&T account holders and approximately 65.4 million former account holders”

“AT&T does not have evidence of unauthorize access to its systems resulting in exfiltration of data set ”

TechCruch held the publication of this story until AT&T could start resetting consumer account passcodes. At&T has post on what customers can do to keep their accounts secure.

AT&T consumer account passcodes are typically 4 digit numbers that are used as extra layer of security when reaching a customer account such as calling AT&T customer service in retail stores and online

In 2021 the hacker claiming the AT&T brach posted only small sample of records making it harder to check if data was authentic. Earlier in March data seller published the full 73 million alleged AT&T records online on a famous cybercrime forum permitting for detailed analysis of leaked records.

AT&T consumers have confirmed that their leaked account data is accurate.

The leaked data consist of AT&T customer names, phone numbers, dates of birth and Social Security numbers.

Croley explain it was not necessary to crack the encryption cypher to unscramble the passcode data.

AT&T said it will contact all of the 7.6 million existing consumers who passcodes it reset as well as current and former consumers whose personal information was compromised.

Croley took all encrypted passcodes from 73 million data set and removed every duplicate. That result to 10,000 unique encrypted values which correlated to 4 digit passcode permutation ranging from 000 to 9999 with few outliers for small number of AT&T consumers with account passcodes longer than 4 digits.

By correlating encrypting account passcodes to surrounding account data like consumer dates of birth house numbers partial Social Secuirty number and phone numbers.

Croley as able to reverse engineer which encrypted values matched which plaintext passcode.

According to Croley the less randomness of encrypted data means its possible to guess the consumer 4 digit account passcode based on surrounding information in leaked data set.

It is not uncommon for people to set passcodes if limited to 4 digits that mean something to them. That is last 4 digit of Social Security number or person phone number the year of someone birth or even four digit of house number.

All this surrounding data is found in every record in leaked data set.

 

AT&T express leaked data of 70 million people is not from its systems

AT&T says massive breach of data impacting 71 million people did not originate from its systems after a hacker leaked it on a cybercrime forum and claimed it was stolen in 2021 breach of the company.

The data is from an alleged 2021 AT&T data breach that a threat actor famous as ShinyHunters tried to sell on the Radio Forums data theft forum for starting price of $200,000 and incremental offers of $30,000.

The hackers stated they would sell it for $1 million.

AT&T told the media the data did not originate from them and systems were not breached.

They still see no evidence of a breach in their systems and still believe that this data did not originate from them.

AT&T does not respond that it was possible the data come from 3rd party service provider or vendor but has not get a reply at this time.

Alleged AT&T data leaked two years later

Another threat actor famous as Major Nelson leaked data from this alleged 2021 data breach fro free on a hacking forum claiming it was the data ShinyHunters tried to sell in 2021.

This data includes name, mobile phone numbers encrypted, date of birth, encrypted social security number and other internal data.

The threat actors have decrypted the birth dates and social security numbers and added them to another file in the leak making those accessible.

We cannot confirm that all 73 million lines are accurate we verified some data contains correct information, addresses, date of birth, phone numbers and social security numbers.

Cybersecurity researchers Dark Web Informer and VX Underground have confirmed some of data to be accurate.

If you were an AT&T customer before and through 2021 it is assume that your data was exposed and can be used in targeted attacks including email phishing and SMS and SIM swapping attacks.

If you get any SMS texts or phishing emails claiming to be from AT&T be very careful about providing any data.

It could not find data for known to be AT&T customers in 2021 and earlier. This would not be uncommon as total mobile consumer base at end of 2021 was 201.8 million subscribers meaning that this data dump is legitimate it is a partial dump.