Technology

AT&T resets millions of passcodes after data leak

A visitor walks past US multinational telecommunications AT&T logo during the Mobile World Congress (MWC), the telecom industry's biggest annual gathering, in Barcelona on February 26, 2024. The world's biggest mobile phone fair throws open its doors in Barcelona with the sector looking to artificial intelligence to try and reverse declining sales.

If I had to rank leaks, I’d say a leaky faucet is the second worst leak, bested only by the most devastating of all fissures: the data leak. And, boy, do we have a data leak on our hands.

A huge cache of AT&T customers’ data, including Social Security numbers and encrypted passcodes that could be used to access customer accounts, was dumped online in March, forcing the telco giant to reset millions of customer account passcodes, TechCrunch learned in an exclusive. After a security researcher analyzed the leaked data and told the news outlet that the passcodes were “easy to decipher,” TechCrunch told AT&T.

AT&T told TechCrunch that there isn’t any evidence just yet that anyone used this data leak to access customer’s information and accounts.

In response, AT&T told the outlet: “AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.”

Cybersecurity researcher Troy Hunt told the Associated Press that while this particular data leak popped up on a hacking forum just two weeks ago, it looks a whole lot like a 2021 data breach that AT&T never acknowledged. Hunt said that if AT&T assesses the leak and “made the wrong call on it, and we’ve had a course of years pass without them being able to notify impacted customers,” then the company could be on the hook for class action lawsuits.

In a statement on AT&T’s website, the telco company encourages customers to take safety into their own hands by “monitoring account activity and credit reports” and setting up “free fraud alerts from nationwide credit bureaus — Equifax, Experian, and TransUnion.”

Mashable