USAMarch 30, 20249 min read
# AT&T: 73 Million Customer Records Including Social Security Numbers Published on Dark Web - Followed by Second Breach of 110 Million Call Records
On March 30, 2024, AT&T confirmed that a dataset containing personal
information of 73 million current and former customers--including Social
Security numbers and encrypted account passcodes that proved trivially
reversible--had been published on the dark web. The data, originating from
2019 or earlier, had first surfaced in 2021 but AT&T did not acknowledge
the breach until independent security researcher Troy Hunt confirmed the
data's validity three years later. Within months, a second and separate
breach emerged: attackers used stolen credentials to access AT&T's Snowflake
cloud account--again without multi-factor authentication--and exfiltrated
call and text metadata for nearly 110 million customers. AT&T paid a
$373,646 ransom for the second dataset's deletion. A combined $177 million
settlement received final court approval in January 2026.
## Key Facts
- .**What:** Two separate AT&T breaches exposed customer data and call metadata.
- .**Who:** 73 million customers in the first breach; 110 million in the second.
- .**Data Exposed:** SSNs, reversible passcodes, call records, and geolocation metadata.
- .**Outcome:** $177 million combined settlement approved in January 2026.
## What Was Exposed
- .Social Security numbers for 73 million current and former AT&T customers
- .AT&T account passcodes--four-digit PINs stored in an encrypted format that was easily reversible through brute-force decryption
- .Full legal names, email addresses, mailing addresses, phone numbers, and dates of birth
- .AT&T account numbers tied to individual subscriber identities
- .In the second breach: call and text message metadata for approximately 110 million customers, spanning a six-month period
- .Call durations, phone numbers of all parties, and cell site identification numbers enabling approximate geolocation
The first breach dataset, published as a 5-gigabyte archive on BreachForums
by a threat actor using the handle “MajorNelson,” contained data from
2019 or earlier. The dataset had initially appeared on the dark web in 2021,
when a threat actor known as “ShinyHunters” attempted to sell it. AT&T
denied the data was theirs at the time, attributing it to a potential
third-party vendor compromise. The company did not publicly acknowledge the
data as authentic until March 30, 2024--more than three years after its
initial dark web appearance--after Troy Hunt of HaveIBeenPwned independently
validated the dataset against known AT&T customer records.
The encrypted passcodes presented a particularly acute risk. AT&T account
passcodes are four-digit numerical PINs used to authenticate customers
when they contact AT&T support, visit retail stores, or make account changes.
The encryption applied to these passcodes in the stolen dataset was trivially
breakable: a four-digit numeric code has only 10,000 possible combinations,
meaning that regardless of the encryption algorithm used, the passcodes
could be recovered through exhaustive brute-force decryption in seconds.
Any attacker with the dataset could impersonate affected customers to AT&T
support, execute SIM swaps, or take over accounts. AT&T reset passcodes
for 7.6 million active customers affected by the breach.
## The Second Breach: Snowflake Cloud Platform
Before the dust settled on the first disclosure, a second and entirely
separate breach came to light. Between April 14 and April 25, 2024,
attackers accessed AT&T's account on Snowflake, the cloud data warehousing
platform, using credentials that had been stolen by infostealer malware.
The Snowflake account, like the Citrix portal in the Change Healthcare
breach disclosed the same month, lacked multi-factor authentication.
Over an 11-day dwell period, the attackers exfiltrated call and text message
metadata for nearly all AT&T cellular customers--approximately 110 million
people. The stolen metadata included the phone numbers of all parties on
every call and text, call durations, and cell site identification numbers
that could be used to determine the approximate geographic location of the
caller at the time of each communication. While the content of calls and
texts was not included, the metadata itself constituted a comprehensive
communications surveillance dataset. Cell site IDs can pinpoint a user's
location to within a few hundred meters, and call pattern analysis can
reveal social networks, daily routines, business relationships, and
sensitive associations.
AT&T paid $373,646 to the threat actor in exchange for deletion of the
stolen data and a video purporting to show the deletion process. The
company disclosed this breach on July 12, 2024, via an SEC filing,
noting that the U.S. Department of Justice had requested delayed public
disclosure for national security reasons. The DOJ's involvement suggests
the stolen metadata may have included communications records of individuals
relevant to ongoing law enforcement or intelligence operations.
## Regulatory Analysis
The AT&T breaches triggered regulatory scrutiny from multiple directions.
The Federal Communications Commission (FCC) opened an investigation into
both incidents, examining whether AT&T complied with the FCC's updated
data breach notification rules and the agency's broader requirements for
telecommunications carriers to protect customer proprietary network
information (CPNI). Under the Telecommunications Act of 1996, carriers
have a statutory duty to protect CPNI--which explicitly includes call
records, the exact data type exposed in the second breach. The FCC's
investigation also examined AT&T's compliance with its January 2024
updated breach notification rule, which requires carriers to notify
affected customers within 30 days of discovering a breach.
The three-year gap between the first dataset's appearance on the dark web
in 2021 and AT&T's official acknowledgment in March 2024 raised serious
questions about the company's breach investigation and disclosure obligations.
AT&T maintained for three years that the data either did not originate from
its systems or could not be confirmed as authentic. This position became
untenable when independent validation proved the data matched AT&T customer
records. Whether AT&T's three-year denial constituted a violation of state
breach notification statutes--many of which require notification within 30
to 60 days of discovering a breach--depends on when AT&T itself determined
or should have determined that the data was authentic. This question is
central to the consolidated litigation.
The litigation was consolidated into a multidistrict proceeding (MDL
3:24-md-03114) in the Northern District of Texas. A combined settlement
of $177 million was reached--$149 million attributable to the first breach
and $28 million to the second--with final court approval granted on
January 15, 2026. Affected individuals may claim up to $5,000 for
documented losses from the first breach and $2,500 from the second.
While the settlement provides individual compensation, the per-customer
figures are modest relative to the severity of SSN and communications
metadata exposure. For a company of AT&T's scale--with $122 billion
in 2023 revenue--the $177 million settlement represents approximately
0.14 percent of annual revenue, a figure unlikely to drive transformative
security investment.
The Snowflake dimension of the AT&T breach was not an isolated incident.
AT&T was one of at least 165 organizations compromised through Snowflake
accounts lacking MFA in a campaign attributed to the threat group UNC5537.
Other victims included Ticketmaster, Santander Bank, and LendingTree.
Snowflake itself was not breached--the attackers used credentials stolen
from individual customers' environments. However, Snowflake's platform
did not enforce MFA by default, and many enterprise customers had not
enabled it. In the aftermath, Snowflake introduced mandatory MFA for all
new accounts. The campaign demonstrated that cloud platform security is
only as strong as the authentication controls individual tenants configure,
and that platform providers bear responsibility for establishing secure
defaults rather than treating MFA as an optional feature.
## What Should Have Been Done
**Passcode Security Architecture:** Storing four-digit numerical
PINs in any encrypted or hashed format provides a false sense of security.
With only 10,000 possible combinations, any encryption or hashing algorithm
can be defeated through exhaustive search in trivial time. AT&T should have
either implemented longer, more complex authentication credentials or
adopted a zero-knowledge proof architecture where passcode verification
does not require storing a value that can be reversed to the original PIN.
More fundamentally, four-digit PINs should not serve as primary authentication
for account changes that can lead to SIM swaps and account takeovers.
Step-up authentication requiring multiple factors should be mandatory for
any account modification that changes device assignments, contact information,
or billing details.
**Multi-Factor Authentication on All Cloud Platforms:** The Snowflake
breach was entirely preventable with MFA. AT&T's failure to enable MFA on
a cloud data warehouse containing call records for 110 million customers
repeated the exact same class of failure that enabled the Change Healthcare
breach just two months earlier. Organizations must enforce MFA on every
cloud platform, SaaS application, and remote-access portal that provides
access to customer data--without exception. Cloud security posture
management (CSPM) tools should continuously audit authentication configurations
across all cloud tenants and flag any account that lacks MFA enforcement.
The AT&T Snowflake breach, and the 164 other organizations compromised in
the same campaign, prove that treating MFA as optional on cloud platforms
is equivalent to leaving the front door unlocked.
**Timely Breach Acknowledgment and Investigation:** AT&T's
three-year delay between the first dataset's dark web appearance and
official acknowledgment is indefensible regardless of the company's
uncertainty about the data's origin. When customer data bearing a company's
identifiers appears on criminal forums, the company must immediately
conduct a forensic investigation to determine authenticity--not spend
three years denying involvement while 73 million customers remain unaware
their Social Security numbers are circulating freely. Prompt investigation,
even when the source is uncertain, is both a legal obligation under
breach notification statutes and a basic duty of care to affected individuals.
AT&T suffered two separate breaches within months of each other, exposing
Social Security numbers, trivially-reversible passcodes, and communications
metadata for a combined 183 million customers. Both incidents shared the
same root cause: stolen credentials on systems without multi-factor
authentication. The $177 million settlement, while meaningful for
individual claimants, represents a fraction of a percent of AT&T's revenue.
For telecommunications carriers and any organization storing sensitive
customer data in cloud platforms, the AT&T case demonstrates that MFA
is not a security enhancement but a minimum viable control--and that
denying a breach for three years does not make it go away.