USAMarch 30, 20249 min read
USAMarch 30, 20249 min read On March 30, 2024, AT&T confirmed that a dataset containing personal information of 73 million current and former customers--including Social Security numbers and encrypted account passcodes that proved trivially reversible--had been published on the dark web. The data, originating from 2019 or earlier, had first surfaced in 2021 but AT&T did not acknowledge the breach until independent security researcher Troy Hunt confirmed the data's validity three years later.
Key Facts
- WhatTwo separate AT&T breaches exposed customer data and call metadata.
- Who73 million customers in the first breach; 110 million in the second.
- Data ExposedSSNs, reversible passcodes, call records, and geolocation metadata.
- Outcome$177 million combined settlement approved in January 2026.
What Was Exposed
- Social Security numbers for 73 million current and former AT&T customers
- AT&T account passcodes--four-digit PINs stored in an encrypted format that was easily reversible through brute-force decryption
- Full legal names, email addresses, mailing addresses, phone numbers, and dates of birth
- AT&T account numbers tied to individual subscriber identities
- In the second breach: call and text message metadata for approximately 110 million customers, spanning a six-month period
- Call durations, phone numbers of all parties, and cell site identification numbers enabling approximate geolocation
The first breach dataset, published as a 5-gigabyte archive on BreachForums by a threat actor using the handle “MajorNelson,” contained data from 2019 or earlier. The dataset had initially appeared on the dark web in 2021, when a threat actor known as “ShinyHunters” attempted to sell it. AT&T denied the data was theirs at the time, attributing it to a potential third-party vendor compromise.
The company did not publicly acknowledge the data as authentic until March 30, 2024--more than three years after its initial dark web appearance--after Troy Hunt of HaveIBeenPwned independently validated the dataset against known AT&T customer records.
The encrypted passcodes presented a particularly acute risk. AT&T account passcodes are four-digit numerical PINs used to authenticate customers when they contact AT&T support, visit retail stores, or make account changes.
The encryption applied to these passcodes in the stolen dataset was trivially breakable: a four-digit numeric code has only 10,000 possible combinations, meaning that regardless of the encryption algorithm used, the passcodes could be recovered through exhaustive brute-force decryption in seconds.
Any attacker with the dataset could impersonate affected customers to AT&T support, execute SIM swaps, or take over accounts. AT&T reset passcodes for 7.6 million active customers affected by the breach.
The Second Breach: Snowflake Cloud Platform
Before the dust settled on the first disclosure, a second and entirely separate breach came to light. Between April 14 and April 25, 2024, attackers accessed AT&T's account on Snowflake, the cloud data warehousing platform, using credentials that had been stolen by infostealer malware.
The Snowflake account, like the Citrix portal in the Change Healthcare breach disclosed the same month, lacked multi-factor authentication.
Over an 11-day dwell period, the attackers exfiltrated call and text message metadata for nearly all AT&T cellular customers--approximately 110 million people. The stolen metadata included the phone numbers of all parties on every call and text, call durations, and cell site identification numbers that could be used to determine the approximate geographic location of the caller at the time of each communication. While the content of calls and texts was not included, the metadata itself constituted a comprehensive communications surveillance dataset.
Cell site IDs can pinpoint a user's location to within a few hundred meters, and call pattern analysis can reveal social networks, daily routines, business relationships, and sensitive associations.
AT&T paid $373,646 to the threat actor in exchange for deletion of the stolen data and a video purporting to show the deletion process. The company disclosed this breach on July 12, 2024, via an SEC filing, noting that the U.S. Department of Justice had requested delayed public disclosure for national security reasons. The DOJ's involvement suggests the stolen metadata may have included communications records of individuals relevant to ongoing law enforcement or intelligence operations.
Regulatory Analysis
The AT&T breaches triggered regulatory scrutiny from multiple directions.
The Federal Communications Commission (FCC) opened an investigation into both incidents, examining whether AT&T complied with the FCC's updated data breach notification rules and the agency's broader requirements for telecommunications carriers to protect customer proprietary network information (CPNI). Under the Telecommunications Act of 1996, carriers have a statutory duty to protect CPNI--which explicitly includes call records, the exact data type exposed in the second breach.
The FCC's investigation also examined AT&T's compliance with its January 2024 updated breach notification rule, which requires carriers to notify affected customers within 30 days of discovering a breach.
The three-year gap between the first dataset's appearance on the dark web in 2021 and AT&T's official acknowledgment in March 2024 raised serious questions about the company's breach investigation and disclosure obligations.
AT&T maintained for three years that the data either did not originate from its systems or could not be confirmed as authentic. This position became untenable when independent validation proved the data matched AT&T customer records. Whether AT&T's three-year denial constituted a violation of state breach notification statutes--many of which require notification within 30 to 60 days of discovering a breach--depends on when AT&T itself determined or should have determined that the data was authentic. This question is central to the consolidated litigation.
The litigation was consolidated into a multidistrict proceeding (MDL 3:24-md-03114) in the Northern District of Texas. A combined settlement of $177 million was reached--$149 million attributable to the first breach and $28 million to the second--with final court approval granted on January 15, 2026. Affected individuals may claim up to $5,000 for documented losses from the first breach and $2,500 from the second.
While the settlement provides individual compensation, the per-customer figures are modest relative to the severity of SSN and communications metadata exposure. For a company of AT&T's scale--with $122 billion in 2023 revenue--the $177 million settlement represents approximately 0.14 percent of annual revenue, a figure unlikely to drive transformative security investment.
The Snowflake dimension of the AT&T breach was not an isolated incident.
AT&T was one of at least 165 organizations compromised through Snowflake accounts lacking MFA in a campaign attributed to the threat group UNC5537.
Other victims included Ticketmaster, Santander Bank, and LendingTree.
Snowflake itself was not breached--the attackers used credentials stolen from individual customers' environments. However, Snowflake's platform did not enforce MFA by default, and many enterprise customers had not enabled it. In the aftermath, Snowflake introduced mandatory MFA for all new accounts. The campaign demonstrated that cloud platform security is only as strong as the authentication controls individual tenants configure, and that platform providers bear responsibility for establishing secure defaults rather than treating MFA as an optional feature.
What Should Have Been Done
Passcode Security Architecture: Storing four-digit numerical PINs in any encrypted or hashed format provides a false sense of security.
With only 10,000 possible combinations, any encryption or hashing algorithm can be defeated through exhaustive search in trivial time. AT&T should have either implemented longer, more complex authentication credentials or adopted a zero-knowledge proof architecture where passcode verification does not require storing a value that can be reversed to the original PIN.
More fundamentally, four-digit PINs should not serve as primary authentication for account changes that can lead to SIM swaps and account takeovers.
Step-up authentication requiring multiple factors should be mandatory for any account modification that changes device assignments, contact information, or billing details.
Multi-Factor Authentication on All Cloud Platforms: The Snowflake breach was entirely preventable with MFA. AT&T's failure to enable MFA on a cloud data warehouse containing call records for 110 million customers repeated the exact same class of failure that enabled the Change Healthcare breach just two months earlier. Organizations must enforce MFA on every cloud platform, SaaS application, and remote-access portal that provides access to customer data--without exception.
Cloud security posture management (CSPM) tools should continuously audit authentication configurations across all cloud tenants and flag any account that lacks MFA enforcement.
The AT&T Snowflake breach, and the 164 other organizations compromised in the same campaign, prove that treating MFA as optional on cloud platforms is equivalent to leaving the front door unlocked.
Timely Breach Acknowledgment and Investigation: AT&T's three-year delay between the first dataset's dark web appearance and official acknowledgment is indefensible regardless of the company's uncertainty about the data's origin. When customer data bearing a company's identifiers appears on criminal forums, the company must immediately conduct a forensic investigation to determine authenticity--not spend three years denying involvement while 73 million customers remain unaware their Social Security numbers are circulating freely.
Prompt investigation, even when the source is uncertain, is both a legal obligation under breach notification statutes and a basic duty of care to affected individuals.
AT&T suffered two separate breaches within months of each other, exposing Social Security numbers, trivially-reversible passcodes, and communications metadata for a combined 183 million customers. Both incidents shared the same root cause: stolen credentials on systems without multi-factor authentication. The $177 million settlement, while meaningful for individual claimants, represents a fraction of a percent of AT&T's revenue.
For telecommunications carriers and any organization storing sensitive customer data in cloud platforms, the AT&T case demonstrates that MFA is not a security enhancement but a minimum viable control--and that denying a breach for three years does not make it go away.