(TechCrunch) Phone giant AT&T has reset millions of customer account passcodes after a huge cache of data containing AT&T customer records was dumped online earlier this month, TechCrunch has exclusively learned.
The U.S. telco giant initiated the passcode mass-reset after TechCrunch informed AT&T on Monday that the leaked data contained encrypted passcodes that could be used to access AT&T customer accounts.
A security researcher who analyzed the leaked data told TechCrunch that the encrypted account passcodes are easy to decipher. TechCrunch alerted AT&T to the security researcher’s findings.
In a statement provided Saturday, AT&T said: “AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.”
“AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set,” the statement said.
TechCrunch held the publication of this story until AT&T could begin resetting customer account passcodes. AT&T also has a post on what customers can do to keep their accounts secure.
AT&T customer account passcodes are typically four-digit numbers that are used as an additional layer of security when accessing a customer’s account, such as calling AT&T customer service, in retail stores, and online.
This is the first time that AT&T has acknowledged that the leaked data belongs to its customers, some three years after a hacker claimed the theft of 73 million AT&T customer records. AT&T had denied a breach of its systems, but the source of the leak remains inconclusive.
AT&T said Saturday that “it is not yet known whether the data in those fields originated from AT&T or one of its vendors.”
In 2021, the hacker claiming the AT&T breach posted only a small sample of records, making it difficult to check if the data was authentic. Earlier in March, a data seller published the full 73 million alleged AT&T records online on a known cybercrime forum, allowing for a more detailed analysis of the leaked records. AT&T customers have since confirmed that their leaked account data is accurate.
The leaked data includes AT&T customer names, home addresses, phone numbers, dates of birth and Social Security numbers.
Croley said it was not necessary to crack the encryption cipher to unscramble the passcode data.
Croley took all of the encrypted passcodes from the 73 million data set and removed every duplicate. The result amounted to about 10,000 unique encrypted values, which correlates to each four-digit passcode permutation ranging from 0000 to 9999, with a few outliers for the small number of AT&T customers with account passcodes longer than four digits.