Updated with comments from AT&T.
A well-known hacker (or hackers) stole the personal data of 70 million AT&T customers, including names, addresses, Social Security numbers, phone numbers, and dates of birth.
In a statement to Bleeping Computer, however, AT&T said it investigated the claims and concluded that the data "does not appear to have come from our system."
ShinyHunters, a hacker who is auctioning off the data online, claims the data is real.
"I'm not surprised," ShinyHunters told RestorePrivacy.com. 'They will continue to deny it until I divulge everything.'
If the data is real, and even if it didn't come from AT&T's servers, it could be authentic.
The stolen personal information is everything an identity thief would need to open an account in someone else's name, impersonate that person in a job search, or obtain identification such as a driver's license.
RestorePrivacy said that at least some of the data samples they saw appeared to be genuine, and an unnamed security expert told Bleeping Computer the same thing.
The news comes just days after a data breach at rival phone company T-Mobile that compromised the names, addresses, birthdates, and Social Security numbers of at least 48 million people; T-Mobile has confirmed the incident.
With regard to the alleged AT&T breach, we typically advise anyone affected by such a serious incident to place a fraud alert on file with the Big Three credit reporting agencies, Equifax, Experian, and TransUnion.
We also urge affected individuals to consider doing a credit freeze with the Big Three, although doing so may complicate getting a loan or opening a new payment account.
If AT&T confirms a breach of its system, it will offer identity theft protection to affected users. If you are one of those users, you should take the company up on its offer.
However, it remains to be seen whether AT&T's claim of a data breach is valid, so it may be premature to act without further information.
The standard course of action for Shiny Hunters is to steal the data and offer to sell it in a cybercriminal marketplace. If no takers are forthcoming, the Shiny Hunters post the data online for free.
In the past few years, he, she, or they have broken into the databases of at least 40 companies, though few are well-known.
ShinyHunters has hinted that the breached companies can buy back their data, and indeed they told RestorePrivacy that they are willing to make such an "arrangement" with AT&T.
More importantly, the ShinyHunters' claims about data theft will most likely turn out to be true; AT&T customers should hope that this claim turns out to be not the case.
Tom's Guide has reached out to AT&T for comment and clarification and will update this article when we hear back.
AT&T responded to our inquiry with the same statement issued to Bleeping Computer:
"Based on our investigation, it appears that the information appearing in the Internet chat rooms did not come from our system.
An AT&T representative added that he could not speculate as to where the data came from or whether it was genuine.
Comments