Getty Images/iStockphoto

AT&T data breach: What's next for affected customers?

Another breach has affected millions of people -- this time it is AT&T customers. Learn more about this AT&T breach and what to do if you were part of this attack.

The number of cyberattacks against businesses continues to grow, and AT&T has been added to the list of victims. Nearly all customers of the telecommunications giant were affected by a security breach with their call and text records downloaded by a third-party platform.

The breach occurred in April 2024 but wasn't announced until July. On July 12, 2024, AT&T said its breach did not include personally identifiable information, such as Social Security numbers. AT&T provided additional details about the incident in an 8-K filing. The FBI released a statement: "In assessing the nature of the breach, all parties discussed a potential delay to public reporting ... due to potential risks to national security and/or public safety."

An anonymous hacker said AT&T paid them $370,000 to delete data from these stolen records, according to a report from Bloomberg.

This is not AT&T's first attack in 2024. The company faced another breach in March 2024, where data was leaked on the dark web. AT&T said the information leaked was AT&T data-specific fields and offered credit monitoring services to those affected.

As more details emerge from this breach and the trend of cyberattacks continues to grow, it becomes increasingly important for customers and businesses to take steps to protect their data.

Who was affected by the AT&T data breach?

Almost everyone with AT&T mobile service -- nearly 110 million customers -- has been affected by this breach.

AT&T said it would notify affected customers by mail, text or email. However, customers with AT&T mobile service between May 1, 2022, and Oct. 31, 2022, along with a select few accounts active on Jan. 2, 2023, should consider their records stolen.

Other users may also be at risk. AT&T said that information from mobile virtual network operators, which are companies that use AT&T's infrastructure, was also exposed in this attack. Although AT&T hasn't named the exact companies, examples of these types of operators include Boost Mobile and Cricket Wireless.

What can hackers do with the stolen AT&T phone and text records?

The attackers do not have the content of the calls or texts but do have the estimated locations. The phone company logs the nearest cellular tower each time a device connects to a mobile network, which gives a map and timeline of a person's cellphone use.

Even though the compromised data does not include the names associated with the phone numbers, online tools exist to find this information and trace users to specific numbers. Attackers can piece together events from these records to uncover who calls who, which could affect people's private connections. The same can be said by matching personal phone calls to business numbers, exposing an individual's private information and uncovering a company's customers.

With information such as frequent phone numbers called, attackers can impersonate a manager, bank, doctor's office or family member and request money. Stolen phone records could also be used for blackmail for people having affairs, enable abusers or stalkers to find former partners, or help criminals find the homes of victims or prosecutors.

Location data from cellphones is considered sensitive information. The Supreme Court requires extra legal protections for this information, and police must have a warrant to gather historical cellphone location data from wireless providers.

Perhaps the largest issue lies beyond personal usage of cell data. Foreign intelligence agencies could use location details to spy on U.S. government activities and specific targets by tracking their movements.

How has AT&T responded?

AT&T identified the data was stolen and stored on the Snowflake-hosted cloud workspace. AT&T said it did not affect its network. AT&T's statement on July 12, 2024, said the investigation is ongoing, and it has enlisted cybersecurity experts to understand the magnitude and scope of this breach. It has also closed the unlawful access point. At least one person has been apprehended, according to AT&T.

AT&T has a dedicated site for customers to answer questions and review updates to this breach. The telecommunications company is now also facing a class action lawsuit for this breach.

Can customers do anything to protect their data further?

There are some steps customers can take to protect themselves from further scams, such as attempts to steal credit card information:

  • Be extra vigilant. If phone calls or texts appear from a family member, bank or place of employment, do not respond with sensitive or private information, such as passwords, money or photos. Even if the text seems to be a desperate plea for money from a family member, always contact the person directly. Never respond to a call or text from an unknown sender -- it could be a form of phishing using text messages to steal personal information.
  • Report any fraud. AT&T said to report any fraud calls on wireless numbers to its fraud team by visiting attfraud.custhelp.com.
  • Don't trust caller ID entirely. Caller ID can be easily spoofed. Always call a business or person directly using a trusted phone number.
  • Do not have ID confirmation codes sent via text. To confirm an identity when logging in to a bank account, social media account or other online account, the site may want the user to verify identity by sending a confirmation code. Consider using an app to generate single-use codes, such as Authy or Google Authenticator, instead of text message codes or send confirmation codes to email. Criminals can intercept calls or texts.
  • Keep information updated. Be sure all contact information at banks and credit card companies is updated so companies can alert account holders of fraudulent activities immediately.
  • Do not click on links. Never click on a link in a text message or email. Be cautious of any links, no matter how authentic they appear -- go to the trusted website through a browser. Check that the site is secure by looking for a closed padlock in the web browser address bar and "https" in the address, as opposed to "http."
  • Secure online accounts. Use strong passwords, and update any weak or recycled passwords for online accounts. To help remember various passwords, consider a password manager. Enable two-factor authentication whenever possible.
  • Monitor finances. Be sure to check bank and credit card statements for fraudulent transactions. Respond to messages or calls asking to confirm fraudulent transactions, but also beware of scammers using these messages for spoofing. Always contact the bank or credit card fraud department directly to verify.
  • Use encrypted messaging apps. Consider encrypted messaging apps, such as WhatsApp or Signal, for sensitive or private messages. These apps secure activity with end-to-end encryption to prevent access even from wireless providers. The receiver and sender both need to use these apps for the encryption to work on a message.

Learn more about the differences between hacking and spoofing.

Amanda Hetler is senior editor and writer for WhatIs, where she writes technology explainer articles and works with freelancers.

Next Steps

Social Security number data breach: What you need to know

Halliburton cyberattack explained: What happened?

Dig Deeper on Security management