The telecommunications giant AT&T announced on Saturday that it had reset the passcodes of 7.6 million customers after it determined that compromised customer data was “released on the dark web.”
“Our internal teams are working with external cybersecurity experts to analyze the situation,” AT&T said. “To the best of our knowledge, the compromised data appears to be from 2019 or earlier and does not contain personal financial information or call history.”
The company said that “information varied by customer and account,” but that it may have included a person’s full name, email address, mailing address, phone number, Social Security number, date of birth, AT&T account number and passcode.
In addition to those 7.6 million customers, 65.4 million former account holders were also affected.
The company said it would be “reaching out to individuals with compromised sensitive personal information separately and offering complimentary identity theft and credit monitoring services.”
AT&T said it reset the passcodes for those affected and directed customers to a site with details about how to reset them. It also said that it was starting a “robust investigation supported by internal and external cybersecurity experts.”
A company representative did not address specific questions about how the breach happened or why it went unnoticed for so long.
TechCrunch, which first reported on the passcode reset, said it informed AT&T on Monday that “the leaked data contained encrypted passcodes that could be used to access AT&T customer accounts.”
TechCrunch said it delayed publishing its article until the company “could begin resetting customer account passcodes.”
In its report, TechCrunch said that “this is the first time that AT&T has acknowledged that the leaked data belongs to its customers, some three years after a hacker claimed the theft of 73 million AT&T customer records.”
AT&T had previously denied a breach of its systems but how the leak happened was unclear, TechCrunch reported.
AT&T said that it did not know whether the leaked data “originated from AT&T or one of its vendors” and that it “does not have evidence of unauthorized access to its systems resulting in theft of the data set.”
The episode comes after AT&T customers experienced a widespread outage last month that temporarily cut off connections for users across the United States for several hours. The Feb. 22 outage affected customer in cities including Atlanta, Los Angeles and New York.
At its peak, there were around 70,000 reports of disrupted service for the wireless carrier, according to Downdetector.com, which tracks user reports of telecommunication and internet disruptions.
A few days later, AT&T offered customers affected by the outage a $5 credit in an effort to “make it right.”