In March 2024, AT&T finally acknowledged what security researchers had been warning about for years. A dataset containing personal information of roughly 73 million people landed on the dark web. Not a small leak. Not a minor inconvenience. We are talking Social Security numbers, account passcodes, full names, addresses, and dates of birth. The whole package.
If you were an AT&T customer at any point before 2024, you should assume your data was part of this breach. That is not paranoia. That is math.
> What Actually Got Leaked
The exposed dataset dates back to 2019 or earlier and includes both current and former customers. Here is the full list of what was in the dump:
- Full names
- Home addresses
- Email addresses
- Phone numbers
- Social Security numbers
- Dates of birth
- AT&T account numbers and passcodes
The passcode detail is particularly nasty. AT&T account passcodes are typically four digit PINs used for account verification. If you never changed yours, someone could potentially use it to take over your AT&T account or port your phone number to another carrier. SIM swapping attacks start exactly like this.
> The Timeline Is Embarrassing
Here is the part that should make you angry. A data seller first offered this dataset on the dark web back in 2021. AT&T denied it was theirs. Security researchers analyzed the data and said it matched AT&T customer records. AT&T kept denying it.
Three years later, the full dataset was dumped publicly. Only then did AT&T confirm the breach and start notifying affected customers. Three years of denial while millions of Social Security numbers floated around criminal marketplaces.
> What You Should Do Right Now
Do not wait for AT&T to send you a letter. Take these steps today:
1. Change your AT&T passcode immediately. Log into your AT&T account and update that four digit PIN. If you use the same PIN anywhere else (and be honest, you probably do), change it there too.
2. Freeze your credit. Contact all three bureaus: Equifax, Experian, and TransUnion. A credit freeze prevents anyone from opening new accounts in your name. It is free and takes about ten minutes per bureau.
3. Set up fraud alerts. If you do not want a full freeze, at minimum place a fraud alert on your credit file. This forces lenders to verify your identity before approving new credit.
4. Monitor your accounts. Watch your bank statements, credit card transactions, and any accounts tied to your AT&T email. Criminals do not always act immediately. Sometimes they sit on stolen data for months before using it.
5. Watch for phishing attempts. Now that criminals have your personal details, expect convincing phishing emails and texts. They will know your name, address, and possibly your account details. Do not click links in messages claiming to be from AT&T.
> Check Your Exposure
The AT&T breach is just one of hundreds that have happened in the last few years. Your data could be floating around multiple dark web databases right now. The only way to know is to check.