Consider getting in touch with your senator or representative [0] and also the FCC [1]. The recent changes we're seeing in other areas of the federal government give reason to stay a bit hopeful that the treatment of these kind of breaches don't stay the norm.
Lack of stewardship for folk's data should not just be the "cost of doing business".
I've been with AT&T since they merged with Cingular in 2004-2006 or so, and according to https://haveibeenpwned.com/ I'm not included in this dump. However I didn't split my account from my parents until 2021 or so, so I'm not sure if I would have been or not if this was from before then.
Edit: My parents' email addresses aren't showing this dump either. Looks like we weren't included at all, so it can't just straight be all AT&T customers.
I too have been with AT&T since the Cingular merger and am also not in the HIBP db. I use a custom email address related to Cingular, which I otherwise would have forgotten existed.
I've been with AT&T forever, I've used a custom email address for AT&T since forever, and my email address is also not in the dump (I have a Premier account.)
According to this chart (whose source you have to pay to see, so unknown reliability), ATT Wireless has had well north of 150m customers in the date range in question, so it wouldn't be all of them.÷
150M lines may be but not all of 'em translate into customer. it's slightly grey area how you see the customer from Financial standpoint vs account management stand point. IMHO 150M lines may roughly be 30 million customers at the max who could /would have shared their billing address/email address with ATT.
Just checked and I'm not in it either according to havibeenpwned.com, but was an AT&T customer for over 15 years and only recently stopped being an active customer.
This is always my first concern anytime I want to register a domain. How much is it worth to me to also register variants of it just to protect against this. It used to be just own all the TLDs, but now we have common typos as well just to protect your brand. For a money generating company, a few hundred monetary units annually isn't too bad, but sheesh just another example of people are assholes!!
keep in mind that HIBP doesn't offer any bare name, physical address, phone number, social security number, or birthdate lookup (at least as far as i can tell). i would take its utility regarding this breach with a grain of salt, and query the actual raw dataset if i wanted to be absolutely sure.
My att@ address is also in the data set. I've used AT&T wireless, landline, and u-verse/fiber, all in California, but didn't think to use different addresses for them [1]. Additionally, in May 2023, someone attempted to open a Bank of America account using my att@ email address and presumably other details from the data. So that was fun.
[1] maybe the wireless was with cingular@ though, I think I signed on before AT&T reassembled, like the T-1000.
I think what AT&T is saying is that it wasn't taken from AT&T servers. Rather, AT&T gave the data to some third-party data-processor (i.e. to some ad company), and that company then lost it.
... Honestly, that shouldn't really make us feel any better about them though, like why would AT&T give out data that includes SSNs to third-party data-processors.
I'm pretty sure I have several lifetimes' worth of free credit monitoring with all the breachleaks happening all the damn time, if I could be arsed to redeem them.
But the static pieces of information like address, phone number, etc. can carry over between services. Is there any reason to suspect a Frankenstein breach, where only the subscriber email list was leaked, and the other data was correlated into personas, giving the impression it all came from one source?
They would need more than an email address to make a meaningful match in this case, since we're stating the email is unique to AT&T.
That being said, I've never heard of hackers performing Master Data Management but I guess it's possible. I'd hope they'd use something other than full name for their matches...
I find it funny that companies like AT&T and Equifax are barely scrutinized for their data handling practices compared to the Amazon and Googles of the world. I wonder why that is.
Yes! Equifax has very lax security. Last year they leaked my social insurance number to a fraudster. When they were describing this on the phone they didn't seem to think they did anything wrong. What makes it worse is I never even gave it to them - they just get it straight from the government I guess?
My first instinct was lobbying spend, but Amazon and Google show up in the top 20 and Equifax isn't on the list (although, I have my suspicions that the numbers here aren't necessarily the whole picture. Financial chicanery is a whole industry, after all). [1]
I can imagine, though, that hiding information is a lot easier when you're less often in the public eye. Amazon and Google, through their ubiquity, have a higher hill to climb when it comes to avoiding scrutiny.
I think that they realise that they can shift the burden of proof onto the accusers and call it a day. Unless the people behind the breach actually claim responsibility and allege it was AT&T that was breached, it's near impossible for anyone to prove them wrong.
The legal and PR teams just stick their heads in the sand. For example one could say "While there was unauthorized access there is no evidence that any personal information was taken." There's zero incentive to confirm the extent of PII leaks as it just triggers more liability and regulatory scrutiny.
My guess, with AT&T being an enormous and ancient corporation long past it's glory days, is that internally its a stale mess serviced by people unwilling to dive into it.
The breach did happen, but things under the hood are so bad that they have no idea it happened. The layers of incompetence and don't-give-a-fuck completely obscure the evidence. The IT team, staffed mostly by young green cards who weren't even in this country 3 years ago, stare blankly at AT&T's internal auditing system developed in the 90's with a long dead and strictly proprietary language. Doesn't matter because the system didn't even catch the breach anyway. As you move up the chain, people just get more divorced from reality as they live in the delusion of AT&T still being a forefront technology company. So of course the breach didn't happen to them.
That is correct. This kind of large legacy company has zero engineering culture. Engineering is not rewarded nor empowered to do its job well and is sometimes seen as a threat (engineering working too wall = entire departments could become redundant), which means nobody competent joins/stays there and only mediocrity remains.
So you are confident that they didn't leak this data?
Also, young green card in this context is synonymous with cost cutting. Young being inexperienced, green card being cheap. I apologize if you racially identify as green card.
You could have just said cheap and or inexperienced. Adding “green card” and the part about not being from here adds a layer of political and racial under tone even though green card isn’t necessarily a race.
When they called me curry girl it was a racist remark even though curry is not a race.
Green card/implication of foreign labor does add an extra bit of information beyond just inexperience - it's that they are likely to be less acquainted with the laws/regulations which means they can be convinced to do illegal things and are less likely to know their rights and stand up to bad/illegal treatment by their employer.
> ATT is equally responsible for data leaks from companies they share data with.
Liability from 3rd party breaches are avoided if the 3rd party has shown that they did their due diligence in maintaining their security.
If they show that they are in SOC 1/2 compliance along with other similar compliance frameworks, that is enough.
> auditing is rigorous
Having dealt with and seen this from SMEs to F10s I guarantee you it's nowhere near as rigorous as you expect, and that this is a common issue across all organizations - even some darlings on HN that people view as deeply technical.
Theory: AT&T has a known relationship with the NSA. Maybe the leak was due to an NSA screw-up. In that case, they're telling a half-truth but wouldn't be allowed to tell the whole truth.
Theory: Someone at AT&T suffered a traumatic brain injury, posted all this data, forgot about it, quit, and is now living in a cottage somewhere in the mountains of Canada.
The NSA screwed up and it ended up in the hands of someone who routinely hacks into large corps?
This doesn’t pass the basic smell test. I really don’t want HN to fall down the conspiracy hole that much of the internet now has. It’s eating away at our societal fabric and is wrong 99.9% of the time.
One of my email addresses is listed in HIBP under the ATT leak. I haven’t had this address with ATT in 2021 and probably many years before that. Either the data doesn’t come from ATT or it’s really old. Unfortunately I cannot see the other details.. address would be a good point in time reference.
Just once, I wish a journalist would ask for a clarification wrt absense of evidence. "Are you saying you don't know or have no way of knowing whether there was a data breach?"
I've had cell service with ATT since at least 1998, with the same email address the entire time. I do not use any of ATT's other services, never have. I am not on this list.
Same here, and my personal email is also not in the list.
However, my former work email, that I used to sign up for both U-verse fiber and a corporate mobile account, is on the list. I suppose that all happened in 2016-2018.
I got a notification from HIBP about this with my email address. I'm not currently an AT&T customer, but I was a customer of them back in 2015-2017 for AT&T UVerse.
Then likely your account info is exposed. I know a couple of former AT&T U-verse subscribers (not current) who's account info including SSN have been exposed
Seeing this now, it makes a lot of sense how the scammers would know to target me.
tl;dr is that some scammers knew I had an AT&T account, and called posing as some AT&T branch that could only speak Chinese (ostensibly serving NYC Chinatown). I think they're targeting 2nd-gen Chinese speakers and forcing them into likely broken Chinese to throw them off guard.
Maybe we need a financial system where an unchangeable nine digit number is the passcode to unlimited credit. Maybe “instant credit” isn’t something we actually need as a society so we can have some more checks and balances. Maybe people shouldn’t be on the hook when banks idiotically loan to anyone with the magic number.
But if we did that financial executives won't be able to afford that 5th vacation home! I'll stay here in the muck with my stolen identity incurred debt thank you very much. One day I'll tug these bootstraps hard enough.
> I've personally also used identity theft protection services since as far back as the 90's now, simply to know when actions such as credit enquiries appear against my name.
I've always thought companies offer those for ulterior motives, e.g. maybe they get a fee for giving the protection service future customers. Do others use them? Maybe I've been wrong here.
I think encrypted DOBs and SSNs are the smoking gun. There may be no way to prove that '1996-07-18' DOB came from AT&T but it's quite hard to deny that the encrypted value '*0g91F1wJvGV03zUGm6mBWSg==' was produced by their systems (or not).
I don’t understand this comment, you say the encrypted values “are the smoking gun”, then at the end you say “(or not)”. Are you saying this happened, and the encrypted values show it, or are you just saying that they seem like evidence either way?
Even if we had AT&T’s keys, I think it might be non-trivial to verify that they correspond to this data, depending on how AT&T encrypts.
> Even if we had AT&T’s keys, I think it might be non-trivial to verify that they correspond to this data
What I was trying to say is that if AT&T systems (or a backup) contain that exact encrypted value (no need for a decryption key), it's a near-certain proof that the data came from their system.
> then at the end you say “(or not)”.
Well, only AT&T DBAs/SREs should be able to confirm what I wrote above and I don't want to accuse anyone without proof. Same reason why Troy Hunt wrote "allegedly".
The original comment comes off a bit more like an accusation with an escape clause. I'd agree that if the leaked data contains exactly the same information as the alleged source's servers, it would be evidence of the veracity of its source, but that has nothing to do with whether or not the data is encrypted.
I beg to differ. If the PII in the leak matches what's in AT&T DBs, they can still maintain plausible deniability that there is no proof the PII leaked from them. An encrypted DOB requires the DOB and an encryption key. The latter shall be unique and securely stored in their system and that's why I referred to presence of the encrypted data specifically as a smoking gun.
I use unique email addresses for each company; the one I use with AT&T (and only them) is in the dump. So I know at least the email was leaked from them.
Of course that doesn't say anything about the other PII but at this point, I figure my PII has already been leaked multiple times.
To an extent, we're all the product on HIBP. The site runs commercial subscriptions, where services pay some nominal fee to find out if its users are reusing a password they used on NeoPets 20 years ago. The site also runs some advertising. Irrespective of how optimised the application is, it has infrastructure and staff costs which need to be paid for in some way.
There's 13bn leaked accounts on the site, and although Hunt does appear to run the site entirely selflessly with little/no profit motive, there is at least some commercialisation of the accounts listed bringing in revenues to cover its costs.
It's free for us because somewhere in the chain, someone is paying for data about us - even if their use-case isn't nefarious.
I own my own domain name, and 28 variations of my email address have appeared in various breaches. In order to search and receive alerts for my domain, i had to sign up for a 16$/mo service.
Reviews I saw about (arpanethack at gmail dot com) sounded much like a lie not until now you helped me to upgrade my worst semester result to upper credit I’m quite speechless thank you for your prompt service it was really top notch without traces text his mail above if in need of hacking services
Lack of stewardship for folk's data should not just be the "cost of doing business".
[0] https://www.usa.gov/elected-officials
[1] https://consumercomplaints.fcc.gov/hc/en-us/articles/8824334...