• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
Restore Privacy

Restore Privacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

Hacker Selling Private Data Allegedly from 70 Million AT&T Customers

August 19, 2021 By Sven Taylor — 15 Comments
ATT data breach

A well-known threat actor with a long list of previous breaches is selling private data that was allegedly collected from 70 million AT&T customers. We analyzed the data and found it to include social security numbers, date of birth, and other private information. The hacker is asking $1 million for the entire database (direct sell) and has provided RestorePrivacy with exclusive information for this report.

Update: AT&T has initially denied the breach in a statement to RestorePrivacy. The hacker has responded by saying, “they will keep denying until I leak everything.”

Hot on the heels of a massive data breach with T Mobile earlier this week, AT&T now appears to be in the spotlight. A well-known threat actor in the underground hacking scene is claiming to have private data from 70 million AT&T customers. The threat actor goes by the name of ShinyHunters and was also behind other previous exploits that affected Microsoft, Tokopedia, Pixlr, Mashable, Minted, and more.

The hacker posted the leak on an underground hacking forum earlier today, along with a sample of the data that we analyzed. The original post is below:

AT&T Data Breach
This is the original post offering the data for sale on a hacking forum.

We examined the data for this report and also reached out to the hacker who posted it for sale.

70 million AT&T customers could be at risk

In the original post that we discovered on a hacker forum, the user posted a relatively small sample of the data. We examined the sample and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits, as we’ll examine more below.

While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid. Here is the data that is available in this leak:

  • Name
  • Phone number
  • Physical address
  • Email address
  • Social security number
  • Date of birth

Below is a screenshot from the sample of data available:

ATT Data Breach
A selection of AT&T user data that is for sale.

In addition to the data above, the hacker also has accessed encrypted data from customers that include social security numbers and date of birth. Here is a sample that we examined:

70 million ATT users hacked

The data is currently being offered for $1 million USD for a direct sell (or flash sell) and $200,000 for access that is given to others. Assuming it is legit, this would be a very valuable breach as other threat actors can likely purchase and use the information for exploiting AT&T customers for financial gain.

Hacker provides RestorePrivacy with additional information

We made contact with the hacker who confirmed that all data is from AT&T customers in the United States. The hacker would not tell us how the data was obtained.

The hacker also told us that he obtained three encrypted strings of data, with the first two being social security numbers and date of birth. He believes the third encrypted string is the user pin, but is not yet sure.

Potential impact for AT&T users

A data breach of this scale is a very serious issue, especially if the data includes detailed private information, particularly social security numbers.

Specifically, AT&T users could be at risk of the following attacks:

  • identity theft
  • phishing attempts
  • social engineering attacks
  • hacked accounts
  • social security scams

We strongly urge AT&T customers to be vigilant against any suspicious activities and/or compromised accounts on other platforms. The website haveibeenpwned, which is maintained by cybersecurity researcher Troy Hunt, is a useful tool to check if your personal information has been compromised.

UPDATE: AT&T comments on the situation

AT&T has provided us with a comment on the situation, posted below in its entirety:

Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems.

-AT&T Corporate Communications Officer (sent to RestorePrivacy on August 19, 2021).

This is an interesting response. The claim that this was posted in an “internet chat room” is simply not correct. It was posted in a well-known hacking forum by a user with a history of large (and verified) exploits.

ShinyHunters replied to AT&T’s statement by telling RestorePrivacy:

It doesn’t surprise me
I think they will keep denying until I leak everything

ShinyHunters’ past exploits and breaches

We should also point out that ShinyHunters is a well-known threat actor with a laundry list of previous exploits. You can see a small sample on the hacker’s Wikipedia page here. This gives further credibility to the hacker’s claims in light of AT&T’s initial denial. The hacker’s previous exploits include:

  • Microsoft – 500 GB of Microsoft source code stolen and sold online
  • Mashable – 5.22 GB of company and staff data
  • Tokopedia – 91 million user accounts
  • Pixlr – 1.9 million user accounts
  • 123RF – 8.3 million user accounts
  • Wattpad – 270 million user records
  • Pluto TV – 3.2 million Pluto TV user records
  • Animal Jam – 46 million accounts leaked
  • WedMeGood – 41.5 GB of user data
  • BigBasket – 20 million user accounts
  • Dave.com – 7 million user accounts
  • Couchsurfing.com – Data from 17 million users
  • Dunzo – 11 GB of company data
  • Nitro PDF – 77 million user records
  • Bhinneka – 1 million user accounts
  • Minted – 5 million accounts leaked
  • ProctorU – 444,267 accounts
  • Bonobos – Full backup database with 7 million customers and 1.8 million registered users
  • Swvl – 4 million users
  • Mathway – 25 million records
  • Wishbone app – 40 million user records

This list is not exhaustive. You can find more breaches and exploits from ShinyHunters that have been verified and discussed on various hacking forums, particularly RaidForums.

Hacker is willing to work with AT&T on an “agreement”

The hacker told us he is willing to work with AT&T directly if they want the data removed — for a price.

hacker data

We will continue to monitor the situation and update this article as new information unfolds.

About Sven Taylor

Sven Taylor is the lead editor and founder of Restore Privacy, a digital privacy advocacy group. With a passion for digital privacy and accessible information, he created RestorePrivacy to provide you with honest, useful, and up-to-date information about online privacy, security, and related topics.

Reader Interactions

Comments

  1. Kal-El

    September 6, 2021

    https://thehackernews.com/2021/09/protonmail-shares-activists-ip-address.html?m=1

    Protonmail involved

    Reply
  2. Rocky

    August 26, 2021

    Do you really think he technically ‘hacked’ all these tech companies? Not at all! Humans are the most vulnerable security risk. Most likely it’s a big dude who has got stong connections to senior staff willing to make some extra bucks on the side. This also works for single user data since many companies offer their users to download the collected data. (:

    Reply
    • Sven Taylor

      August 26, 2021

      We do so this trend right now where ransomware groups are going directly to employees and bribing them to get inside access to a network.

      Reply
  3. Tsiona

    August 23, 2021

    I reported to AT&T that my phones are being hacked and their security response was somewhat helpful. I believe the data is stolen in the sales process–individuals are selling new customer info as soon as you walk out the door with your new phone. I watched it unfold to the degree: step one, the computer slows down and processing just happens to take long that day for some reason; next another person comes over as if having approval/ input authority or, the customer document leaves the kiosk with sales person to go pick up your equipment. You walk out with an excuse that the contract isnt available they will email it. I’ve experienced these scenarios with T-Mobile, AT&T and when Sprint was only Sprint. I filed complaints with the Secretary of State and FCC.

    Reply
  4. The Data Ocean

    August 20, 2021

    I’m not surprised at ATT’s response, noting of course the sample data looks like a simple pipe delimited SQL query export… I’m not a white or black hat, just a long time database guy… and this data doesn’t look right.

    Assuming the data is valid – the really scary thing is that those encrypted values are really weak. That the Date field has more entropy than the SSN is very odd. Note also the repetitive prefix value in both – this doesn’t make sense, unless the encrypted (not hashed) field were appended.

    The data itself – looks more like a translation form. UUencode64 value is a good example… as are a bunch of Unicode Translation forms. This would lend credence to ATT’s version of the story…

    Reply
    • Funk

      August 21, 2021

      shinyhunters has already said that this is not the original format

      Reply
  5. BoBeX

    August 20, 2021

    Hi Sven,

    Great article!

    When contacting hackers do you let them know it is for journalistic purposes? To know would give some insight into the personalities behind the hack.

    When a hacker (credibly) asserts the have breached an organisation and the organisation (credibly) denies the breach how is the truth resolved? Can it be resolved?

    Regards,

    BoBeX

    Reply
    • Sven Taylor

      August 20, 2021

      1. Yes, and usually the players involved will provide information for the story.
      2. Yes, it will be resolved when more information comes forward. In this case the sample is relatively small and AT&T was quick to deny it, which is no surprise because this would be very bad for them. But when more data comes out, it should be very clear who is correct.

      Reply
      • Tsiona

        August 23, 2021

        I reported to AT&T that my phones are being hacked and their security response was somewhat helpful. I believe the data is stolen in the sales process–individuals are selling new customer info as soon as you walk out the door with your new phone. I watched it unfold to the degree: step one, the computer slows down and processing just happens to take long that day for some reason; next another person comes over as if having approval/ input authority or, the customer document leaves the kiosk with sales person to go pick up your equipment. You walk out with an excuse that the contract isnt available they will email it. I’ve experienced these scenarios with T-Mobile, AT&T and when Sprint was only Sprint. I filed complaints with the Secretary of State and FCC.

        Reply
        • Tsiona

          August 23, 2021

          I forgot to add the facts about how it seems to take 1 full day to notice your phone is being interrogated with glitches like third access, real-time interaction from a backdoor.

    • Big Brother

      August 27, 2021

      I’m sure social media is a good place to observe where the formal networking happens.

      Reply
  6. Nothere

    August 19, 2021

    You missed a street name in the sample. Second to last row.

    Reply
    • Sven Taylor

      August 19, 2021

      Hey thanks, I updated the image and removed the street name.

      Reply
      • Markie Charlie

        August 20, 2021

        Leaving the ZIP+4 visible for “Peter” is still enough to find his full name and address, since many of those +4 codes map to a single street name.

        A Google search with his first name, the street from his +4, and the town, pulled up his full name and address on the first page of results.

        Reply
        • Sven Taylor

          August 20, 2021

          Wow. I did not know +4 is so invasive, but I just tried it and you are correct. I have now updated the image again to remove the +4 zip.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browsers
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN (68% Off Coupon) or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

Restore Privacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

Restore Privacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP