Editor’s Note: This article has been updated to correct a mischaracterization of the nature of the data involved in the reported leak. The original version stated: “The current leak appears to represent cleaned-up and enhanced versions of the older stolen data, with cybercriminals removing internal AT&T information while adding decrypted personal details that were previously protected by encryption.”
According to an AT&T spokesperson, this is not accurate. Social Security Numbers and Dates of Birth were already available in plain text in the original compromised dataset from 2024 (in separate files that could be combined).
This clarification has been incorporated to ensure accuracy and transparency in reporting.
Cybercriminals have released an enhanced version of previously stolen AT&T customer data containing over 86 million records that includes fully decrypted Social Security numbers and birth dates, creating heightened identity theft risks for affected customers.
The data, first posted on a Russian cybercrime forum on May 15, 2025, and redistributed on June 3, includes full names, addresses, phone numbers, email addresses, and nearly 44 million Social Security numbers—all now in plain text format that makes identity theft significantly easier for bad actors.
Not a New Breach, But More Dangerous
While the threat actor claimed the data came from AT&T’s 2024 Snowflake breach, the telecommunications giant and cybersecurity researchers believe this represents repackaged information from earlier incidents. The exact composition remains under investigation, with some reports suggesting it may combine data from multiple breaches.
“After analysis by our internal teams as well as external data consultants, we are confident this is repackaged data previously released on the dark web in March 2024,” AT&T shared. “Affected customers were notified at that time. We have notified law enforcement of this latest development.”
A Complex History of AT&T Breaches
This latest incident traces back to a 2021 cyberattack by the ShinyHunters hacking group, which claimed to have stolen data on 70 million AT&T customers. AT&T initially denied the breach but reversed course in March 2024, acknowledging that 73 million current and former customers were affected.
Separately, AT&T suffered another major breach in April 2024 when hackers exploited Snowflake cloud platform vulnerabilities, stealing call and text metadata for 110 million customers. The company reportedly paid a $370,000 Bitcoin ransom to have that data deleted.
The current leak appears to be a repackaging of data previously compromised in 2024, with cybercriminals restructuring the files for broader distribution. According to an AT&T spokesperson, Social Security Numbers and Dates of Birth were already available in plain text in the original dataset, contained in separate files that could be combined to reconstruct full personal records. No newly decrypted personal details have been added.
Legal and Business Implications
The incident has prompted class-action lawsuits against AT&T, though legal proceedings are still developing. The repeated security incidents and AT&T’s initial denial followed by later acknowledgment have drawn criticism over the company’s security practices and transparency.
For legal professionals handling data breach cases, this incident highlights the long-term liability risks companies face. Stolen data can resurface years later in more dangerous forms, potentially extending legal exposure well beyond initial breach notifications.
Affected customers should take several protective steps including monitoring credit reports for unauthorized accounts or suspicious activity, enabling multi-factor authentication on financial and important accounts with a preference for app-based verification over SMS, and considering credit freezes to prevent new accounts from being opened without authorization. Security experts also warn customers to watch for social engineering attacks that may use the leaked personal information to appear legitimate.
AT&T continues offering credit monitoring and identity theft protection services to affected customers and is not planning additional notifications for this repackaged data.
Industry Takeaways
The incident demonstrates how legacy breach data poses ongoing risks as cybercriminals develop new techniques to enhance and monetize stolen information. For organizations handling sensitive data, this underscores the importance of implementing robust encryption that can withstand future attack methods, maintaining continuous monitoring for reappearance of previously stolen data, developing long-term customer protection strategies extending beyond initial breach response, and ensuring transparent communication with stakeholders about evolving threats.
The ShinyHunters group remains under investigation by multiple law enforcement agencies and has been linked to major breaches at Ticketmaster, Santander Bank, and other high-profile targets.
This developing story reflects the evolving cybersecurity landscape where initial data breaches can have consequences extending years beyond their discovery, requiring organizations to maintain vigilance and customer protection measures on an ongoing basis.
News Sources
Assisted by GAI and LLM Technologies
Source: HaystackID published with permission from ComplexDiscovery OÜ
