AT&T confirms data breach and resets millions of customer passcodes

A file containing data including passcodes and social security numbers of AT&T customers has been available on the dark web for weeks.

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

AT&T has acknowledged that a data leak making the rounds online contains information from more than 7.6 million current customers and 65 million former customers. The company has reset the security passcodes of active customers affected, and says that leaked information "may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and passcode."

AT&T is reaching out to affected customers via “email or letter” to let them know what data was included and what it’s doing for customers in response.

The company's acknowledgment that the leaked data is real — the first reports of the leak emerged in 2021 — only came after TechCrunch notified AT&T of the vulnerability of its encrypted passcodes on Monday. The passcodes are typically four-digit numerical PINs used for account security on phone calls with company support or in-store verification and a security researcher’s analysis revealed that it was “easy to decipher” the passcodes.

This FAQ says customers can set up free fraud alerts from credit bureaus Equifax, Experian, and TransUnion. According to AT&T, the data set “appears to be from 2019 or earlier and does not contain personal financial information or call history.” The company says it’s working with “external cybersecurity experts to analyze the situation,” and that so far it has no “evidence of authorized access” to its systems.