AT&T Database Leak Raises Major Concerns as 86 Million Unique Records, Decrypted SSNs Exposed 

• The public disclosure of an extensive AT&T customer data breach reportedly affected over 86 million individuals.
• It is not yet definitively established whether this leak is directly tied to the April 2024 Snowflake breach.
• Yet, the presence of decrypted SSNs in plain text marks a significant escalation.

Reports say a hacker collective, believed to be the ShinyHunters group, leaked 86 million unique AT&T customer records after exploiting vulnerabilities in the Snowflake cloud data platform, and reportedly contains a trove of sensitive information.

The breach, which was circulated on Russian cybercrime forums in mid-May and re-uploaded in early June, includes full names, dates of birth, phone numbers, email and physical addresses, and, most alarmingly, over 44 million decrypted Social Security Numbers (SSNs).

Hackread confirmed the data’s legitimacy and noted the structural differences compared to previous AT&T-related leaks. What sets this incident apart is the nature of the exposed data. 

Unlike previous leaks, where some data fields were encrypted, this dataset includes SSNs and birthdates in plain text. The well-structured dataset comprises three CSV files, substantially simplifying analysis and, potentially, exploitation by malicious actors. 

The origins of this breach present additional complexities. While the threat actor behind the leak claims the database results from a vulnerability exploited during the infamous Snowflake cloud data warehouse attack in April 2024, there are inconsistencies. 

For one, the dataset contains more entries (over 86 million unique records after duplicates were removed) than the originally reported 70 million from the Snowflake incident. 

Additionally, the type of data in this leak does not precisely match what was documented in the confirmed Snowflake compromise, which focused more on call and text metadata rather than personally identifiable information.

Multiple incidents since 2021 have exposed customer data, with the notorious ShinyHunters group linked to previous leaks. Notably, this most recent leak appears to be an enhanced version of past datasets, now with previously encrypted SSNs decrypted and mapped, escalating the threat for victims.

Despite prompt incident response measures from AT&T and engagement with third-party cybersecurity experts, ambiguity surrounds the exact source and scope of this data exposure. AT&T acknowledges the existence of the data for sale but maintains that the material may be repackaged from prior incidents. 

Security experts quickly voiced their concerns for TechNadu, including Thomas Richards, Infrastructure Security Practice Director at Black Duck, Trey Ford, CISO at Bugcrowd, and Darren Guccione, CEO at Keeper Security. 

Thomas Richards emphasized the heightened risk for affected consumers, stating, “With both date of birth and SSNs being compromised, malicious actors have all the information they need to commit fraud and impersonate AT&T customers.” 

Trey Ford shifted the focus to the broader systemic issue, highlighting the persistent reliance in the U.S. on static identifiers like the SSN. “We need to de-value the SSN as loot to be stolen for profit and adopt a more meaningful, better-controlled, and more secure option,” Ford argued.

Darren Guccione underscored the necessity of layered, zero-trust architectures and privileged access management, warning that robust password policies and multi-factor authentication alone are insufficient. “Effective cybersecurity isn’t just about sealing off the front door–it requires vigilance in closing known security gaps and limiting damage when defenses fail,” he said.