AT&T has launched a formal investigation after threat actors leaked a database containing personal information of over 86 million individuals, including decrypted Social Security Numbers (SSNs), on multiple cybercrime forums.
The company told CyberInsider it had only recently learned of the leak and is currently assessing the data’s origin.
The dataset was first posted on a prominent Russian-language hacking forum on May 16, 2025, and re-uploaded on June 3, prompting broader circulation across underground platforms. The leak was initially claimed to involve 70 million customer records, but Hackread analysis revealed a total of 88,320,018 entries, 86,017,090 of which are unique after deduplication. The contents include:
- Full names
- Dates of birth
- Phone numbers
- Email addresses
- Physical addresses
- 44 million plaintext SSNs
The alarming aspect of this leak is the inclusion of fully decrypted SSNs and dates of birth, which were previously encrypted in earlier breaches. This development significantly raises the risk of identity fraud and impersonation for affected individuals.
CyberInsider
AT&T is the largest wireless carrier in the United States and the fourth-largest telecommunications firm globally by revenue. It has previously dealt with several data security incidents, many involving the hacking group ShinyHunters. Notably, the company confirmed in March 2024 that data leaked from a 2021 breach, originally denied, did indeed belong to AT&T, affecting 73 million current and former customers. That breach included encrypted SSNs, which now appear decrypted in the latest leak.
The group behind the most recent leak claims the dataset originated from an April 2024 breach linked to the Snowflake cloud data platform, which was exploited by attackers using stolen credentials without multi-factor authentication. That incident compromised AT&T’s Snowflake environment and exposed metadata for nearly 110 million users. However, the newly leaked database does not match the format or contents of the Snowflake-related breach, which involved call and text metadata, not personal identifiers.
Despite the overlap in some user records and fields with the 2024 Snowflake breach, analysis suggests that the newly leaked data is a cleaner, more structured dataset, divided into three CSV files, compared to the disorganized format of previous leaks. This organization, along with the decryption of previously encrypted SSNs, makes the latest release particularly dangerous.
AT&T has not confirmed whether the new dataset stems from the April 2024 breach, an older leak that has been repackaged, or a separate incident entirely. In a statement to CyberInsider, a company spokesperson noted, “It is not uncommon for cybercriminals to re-package previously disclosed data for financial gain. We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation.”
We will update this post as new information becomes available from AT&T. In the meantime, customers should elevate security on their accounts (use strong passwords and MFA), monitor credit reports, and be vigilant for phishing or scamming attempts.
Leave a Reply