Telecommunications company AT&T Inc. has confirmed that personal data relating to 73 million of its past and present customers that made its way onto the dark web recently is believed to have been from 2019 or earlier.

The data in question first appeared for sale on the now defunct Raid Forums hacking forum in 2021 and was said at the time to include Social Security numbers and dates of birth. The same data then appeared earlier this month after being dumped by a breach seller.

The dump contained data relating to 7.6 million current AT&T customers and 65.4 million former customers. AT&T said in a support article today that it’s reaching out to current customers, has reset their passwords, and is also communicating with former account holders over their compromised sensitive person information.

“Our internal teams are working with external cybersecurity experts to analyze the situation,” AT&T stated. “To the best of our knowledge, the compromised data appears to be from 2019 or earlier and does not contain personal financial information or call history.”

AT&T says the information in the data varied by customer and account but may have included full name, email address, mailing address, phone number, Social Security number, date of birth, AT&T account number and passcode.

Along with resetting passcodes, AT&T is also encouraging affected customers to remain vigilant by monitoring account activity and credit reports. Affected customers are being offered free fraud alerts from major credit bureaus and can review their credit report for free via Freecreditreports.com.

Other than saying that AT&T data-specific fields were contained in the data, the company added that it does not know yet whether the data in those fields originated from AT&T or one of its vendors.

That AT&T doesn’t know where the data comes from in 2024 is arguably disturbing. The company was aware that the same data was available for sale in 2021 and yet seemingly, in that time — at least according to AT&T — hasn’t been able to trace the source.

It should also be noted that in 2021, a spokesperson for AT&T denied that the data belonged to it in an email to SiliconANGLE. “Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems,” the spokesperson said at the time.

Whether AT&T is at fault for the data breach or not is a moot point. Any company that has data leaked should be finding out where the data came from. It’s difficult to believe that AT&T has spent the last two to three years not finding the origin of the leak.

Photo: Bill Bradford/Flickr