Updated with comments from AT&T
A well-known hacker (or hackers) stole the personal data of 70 million AT&T customers, including names, addresses, Social Security numbers, phone numbers, and dates of birth
In a statement to Bleeping Computer, however, AT&T said it investigated the claims and concluded that the data "does not appear to have come from our system"
ShinyHunters, a hacker who is auctioning off the data online, claims the data is real
"I'm not surprised," ShinyHunters told RestorePrivacycom 'They will continue to deny it until I divulge everything'
If the data is real, and even if it didn't come from AT&T's servers, it could be authentic
The stolen personal information is everything an identity thief would need to open an account in someone else's name, impersonate that person in a job search, or obtain identification such as a driver's license
RestorePrivacy said that at least some of the data samples they saw appeared to be genuine, and an unnamed security expert told Bleeping Computer the same thing
The news comes just days after a data breach at rival phone company T-Mobile that compromised the names, addresses, birthdates, and Social Security numbers of at least 48 million people; T-Mobile has confirmed the incident
With regard to the alleged AT&T breach, we typically advise anyone affected by such a serious incident to place a fraud alert on file with the Big Three credit reporting agencies, Equifax, Experian, and TransUnion
We also urge affected individuals to consider doing a credit freeze with the Big Three, although doing so may complicate getting a loan or opening a new payment account
If AT&T confirms a breach of its system, it will offer identity theft protection to affected users If you are one of those users, you should take the company up on its offer
However, it remains to be seen whether AT&T's claim of a data breach is valid, so it may be premature to act without further information
The standard course of action for Shiny Hunters is to steal the data and offer to sell it in a cybercriminal marketplace If no takers are forthcoming, the Shiny Hunters post the data online for free
In the past few years, he, she, or they have broken into the databases of at least 40 companies, though few are well-known
ShinyHunters has hinted that the breached companies can buy back their data, and indeed they told RestorePrivacy that they are willing to make such an "arrangement" with AT&T
More importantly, the ShinyHunters' claims about data theft will most likely turn out to be true; AT&T customers should hope that this claim turns out to be not the case
Tom's Guide has reached out to AT&T for comment and clarification and will update this article when we hear back
AT&T responded to our inquiry with the same statement issued to Bleeping Computer:
"Based on our investigation, it appears that the information appearing in the Internet chat rooms did not come from our system
An AT&T representative added that he could not speculate as to where the data came from or whether it was genuine
Comments