<byline>By Khristopher J. Brooks – Edited By Anne Marie Lee<byline>
Millions of current and former AT&T customers learned over the weekend that hackers have likely stolen their personal information and are sharing it on the dark web.
AT&T on Saturday said it doesn't know if the massive data breach "originated from AT&T or one of its vendors," but that it has "launched a robust investigation" into what caused the incident. The data breach is the latest cyberattack AT&T has experienced since a leak in January of 2023, that affected 9 million users. By contrast, Saturday's much larger breach impacts 73 million current and former AT&T account holders. AT&T has seen several data breaches over the years that range in size and impact.
The data breach prompted an Ohio man to file a class-action lawsuit against AT&T, accusing the telecommunications giant of negligence and breach of contract. Lawyers representing Alex Petroski of Summit County, Ohio, argued that the cyberattack could have been avoided and that AT&T's security failed to protect customer data.
Until more details of AT&T's investigation arise, here's what customers should know about the most recent data breach.
How many people were impacted by the AT&T data breach?
AT&T said the breach on Saturday affects about 7.6 million current and 65.4 million former AT&T customers.
What type of information was taken from AT&T?
AT&T said Saturday that a dataset found on the dark web contains information such as Social Security and passcodes. Unlike passwords, passcodes are numerical PINS that are typically four-digits long. Full names, email addresses, mailing addresses, phone numbers, dates of birth and AT&T account numbers may have also been compromised, the company said. The impacted data is from 2019 or earlier and does not appear to include financial information or call history, it added.
Was my information affected by the AT&T data breach?
Consumers impacted by this breach should be receiving an email or letter directly from AT&T about the incident. The email notices began going out on Saturday, an AT&T spokesperson confirmed.
What has AT&T done so far to help customers?
Beyond notifying customers, AT&T said that it had already reset the passcodes of current users. The company also said it would pay for credit-monitoring services where applicable.
What's the latest with AT&T's investigation into the breach?
AT&T hasn't disclosed details about its investigation into the data breach, but it is likely to be time-consuming and costly, according to Kevin Powers, the founding director of the Master of Science in Cybersecurity Policy and Governance Programs at Boston College.
The company will most likely bring in outside computer forensics specialists who will work with its on-site IT staff to determine exactly when and how the hackers got into the customer account information system, Powers said. But identifying the hackers' path of entry will be a big challenge for such a large company.
"You don't know where it came in from," Powers told CBS MoneyWatch, referring to the source of the breach. "It potentially could be from a customer or it could have been done from one of their outside contractors or someone else along their supply chain."
In addition, AT&T will have to scrub any malware out of the software that runs its customer account system, while also keeping the system running for customers who weren't impacted, he said. All these steps will have to be shared with lawyers, the outside consultants, and likely officials from the Federal Trade Commission.
What's the best way to protect my personal information?
Start by freezing your credit reports at all three major agencies — Equifax, Experience and TransUnion. Then sign up for 24-7 credit monitoring and enable two-factor authentication on your AT&T account, said WalletHub CEO Odysseas Papadimitriou, a former senior director at Capital One.
If you receive a notice about a breach, it's a good idea to change your password and monitor your account activity for any suspicious transactions. The Federal Trade Commission offers free credit freezes and fraud alerts that consumers can set up to help protect themselves from identity theft and other malicious activity.
—The Associated Press contributed to this report.