If you are or were an AT&T user, chances are high that you were a victim of at least one of two major data breaches.
The first breach likely happened sometime between 2019 and 2021 when hackers obtained the social security numbers, email addresses, phone numbers, dates of birth, AT&T account numbers, and passcodes of a whopping 73 million users. Both current and former users were affected, and the hackers seemed to have accessed data from 2019 or earlier. AT&T confirmed the breach in March 2024 when the data was posted on the dark web, although some outlets had reported on it as early as 2021.
Shortly after, disaster hit again. The company announced in July 2024 that phone records belonging to “nearly all” of its customers were illegally downloaded from the AT&T workspace onto a third-party cloud platform. A former U.S. Army soldier and two other people allegedly accessed records of customers’ calls and text interactions, and the hack impacted Verizon, Ticketmaster, and roughly 160 other companies. The former soldier pleaded guilty to trying to sell the stolen AT&T data, including to a foreign intelligence service.
AT&T settled a class-action lawsuit over the breaches earlier this year, and the court ordered the telecommunications giant to pay a total of $177 million to affected customers. Customers who were impacted in the first data breach will be entitled to up to $5,000, and those impacted in the second data breach will be entitled to up to $2,500. The deadline to request a payout in the settlement is Thursday, Dec. 18. You will have to file your claim either online by that time or via mail postmarked on or before then.
“I think that the settlement is way too low for this one, because there’s such important pieces of information,” Adrianus Warmenhoven, who is on NordVPN’s security advisory board, told Gizmodo. Social security numbers are significant breaches, but Warmenhoven says that even a date of birth breach could be a substantial threat.
Criminals accumulate information about you gradually through breaches (although the AT&T breach is quite significant, Warmenhoven says, breaches that impact users in the millions are “starting to become quite common”). One data breach could reveal your email address, while another could reveal your phone number, etc. When combined, they paint a picture that a criminal could use to digitally impersonate you.
“With most of the data, if you have a complete profile, I can call credit card companies, get a new account on there, get a lease for something, borrow some money, rent a car,” Warmenhoven said. “So this data will never, ever go away; it will only get more and more enriched.”
There is sadly no “technical fix” that an individual can use to protect themselves against these breaches, Warmenhoven said, because there is no technical problem underlying it.
“It’s just bad management,” h