70 million AT&T customers allegedly have their personal data stolen; hacker seeks $1 million
Only a few days after T-Mobile confirmed that as many as 48 million of its subscribers and potential customers had some of their personal data stolen and put up for sale, AT&T has suffered the same plight. According to RestorePrivacy (via 9to5Mac), 70 million AT&T customers have their social security numbers, date of birth, and other personal data swiped and offered for sale.
AT&T has data from 70 million customers stolen and offered for sale at a price of $1 million
RestorePrivacy says that the culprit is a "A well-known threat actor with a long list of previous breaches" who uses the handle ShinyHunters. He previously hacked firms like Microsoft, Tokopedia, Pixlr, Mashable, Minted and more. He seeks $1 million for the compromised AT&T database. The hacker provided RestorePrivacy with exclusive information as proof of the data breach. Meanwhile, AT&T has denied that the data breach has occurred. That led the hacker to say, "they will keep denying until I leak everything."
User data stolen from AT&T and is being offered for sale
The $1 million selling price along with other information related to the hack was posted Thursday on an underground hacking forum. The post, according to RestorePrivacy, included a small sample of the data stolen by the hacker and "it appears to be authentic based on available public records," according to the privacy resource center. While RestorePrivacy can't confirm that the information in the database belongs to AT&T customers, everything it examined appears to be valid, it said.
The data stolen includes information that could make life miserable for both AT&T and the 70 million customers whose data has allegedly been stolen. The information includes:
- Name
- Phone number
- Physical address
- Email address
- Social security number
- Date of birth
If this news is legit, U.S. AT&T customers face identity theft, phishing scams, social engineering attacks, hacked accounts, and social security scams. As a result, AT&T subscribers need to confirm any email they receive that looks genuine but requests their bank account number, social security number, credit card number, or more.
AT&T denies that it has been hit by a data breach
AT&T released a statement that says, "Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems." The hacker also issued something of a statement which said, "By the way, if AT&T is afraid and want their database taken off the market, they can contact me for an agreement, it has been done recently and both sides were satisfied."
Despite its denial, AT&T should be shaking in its boots. ShinyHunters' Wikipedia page lists several of his past exploits including the theft of 500 GB of Microsoft source code which was sold online, stealing the records belonging to 3.2 million Pluto TV users, the theft of records pertaining to 40 million users of the Wishbone app, and more.
The hacker also believes that one of the encrypted strings of data he took is a list of users' PIN numbers which makes this data breach potentially a major worry for those whose data was stolen.
In 2015, an AT&T data breach exposed the names and social security numbers belonging to 280,000 U.S. customers. As a result, the wireless provider was forced to pay a $25 million fine to the Federal Communications Commission (FCC). AT&T employees in Mexico, Colombia, and the Philippines were reportedly behind the hack. Besides the fine, AT&T was told to inform customers affected by the data breach and to pay for credit monitoring services for impacted customers in Colombia and the Philippines.
T-Mobile, earlier this week, offered two-years of McAfee ID Theft Protection for free to those customers whose personal information might have been swiped.
Things that are NOT allowed: