AT&T

AT&T suffered a major data breach where a database containing over 86 million customers' personal information was exfiltrated by the ShinyHunters hacking group from a Snowflake environment. The leaked data, reuploaded on a Russian cybercrime forum in early July (after an initial exposure in mid-May), included full names, phone numbers, home addresses, email addresses, birthdates, and nearly 44 million decrypted Social Security numbers (SSNs). While attackers claimed the data was linked to a prior Snowflake-related breach, investigations revealed discrepancies—earlier leaks had encrypted SSNs and were less structured. AT&T acknowledged the incident, stating cybercriminals often repackage old data for financial exploitation, and confirmed an ongoing investigation. The exposure of highly sensitive PII (Personally Identifiable Information), particularly decrypted SSNs, poses severe risks of identity theft, financial fraud, and long-term reputational damage to affected customers. The breach underscores vulnerabilities in third-party cloud environments (Snowflake) and the persistent threat of sophisticated hacking collectives like ShinyHunters.

Source: https://www.scworld.com/brief/millions-of-pilfered-att-records-exposed

TPRM report: https://www.rankiteo.com/company/at&t-bell-laboratories

"id": "at&1654316113025",
"linkid": "at&t-bell-laboratories",
"type": "Breach",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"

{'affected_entities': [{'customers_affected': '86 million+',
                        'industry': 'telecommunications',
                        'location': 'United States',
                        'name': 'AT&T',
                        'size': 'large enterprise',
                        'type': 'telecommunications company'}],
 'attack_vector': 'third-party cloud environment (Snowflake) compromise',
 'data_breach': {'data_encryption': 'partially (SSNs were encrypted in earlier '
                                    'leak but allegedly decrypted in '
                                    'reuploaded data)',
                 'data_exfiltration': 'yes (via Snowflake environment)',
                 'number_of_records_exposed': '86 million+ (including 44 '
                                              'million SSNs)',
                 'personally_identifiable_information': ['full names',
                                                         'phone numbers',
                                                         'home addresses',
                                                         'email addresses',
                                                         'birthdates',
                                                         'Social Security '
                                                         'numbers'],
                 'sensitivity_of_data': 'high (includes SSNs, birthdates, '
                                        'addresses, etc.)',
                 'type_of_data_compromised': ['personally identifiable '
                                              'information (PII)',
                                              'sensitive personal data']},
 'date_publicly_disclosed': '2024-06',
 'description': "AT&T had a database with over 86 million customers' "
                'information purportedly exfiltrated by the ShinyHunters '
                'hacking operation from a Snowflake environment. The data was '
                'reuploaded on a Russian cybercrime forum earlier this month '
                'after being initially exposed in mid-May. The leaked data '
                'included full names, phone numbers, home addresses, email '
                'addresses, birthdates, and almost 44 million Social Security '
                'numbers (allegedly fully decrypted). AT&T is investigating '
                'the newest data leak allegations, noting discrepancies '
                'between this leak and the earlier Snowflake-related breach. '
                'The company suggested cybercriminals may have repackaged '
                'previously disclosed data for financial gain.',
 'impact': {'brand_reputation_impact': 'potential reputational damage due to '
                                       'large-scale data exposure and '
                                       'allegations of repackaged breach data',
            'data_compromised': ['full names',
                                 'phone numbers',
                                 'home addresses',
                                 'email addresses',
                                 'birthdates',
                                 'Social Security numbers (44 million, '
                                 'allegedly decrypted)'],
            'identity_theft_risk': 'high (due to exposure of PII including '
                                   'SSNs)',
            'systems_affected': ['Snowflake environment']},
 'initial_access_broker': {'data_sold_on_dark_web': 'yes (reuploaded on '
                                                    'Russian cybercrime forum)',
                           'entry_point': 'Snowflake environment',
                           'high_value_targets': ['customer PII database']},
 'investigation_status': 'ongoing (AT&T investigating discrepancies in leak '
                         'claims)',
 'motivation': 'financial gain',
 'references': [{'source': 'Hackread'}],
 'response': {'communication_strategy': 'public statement acknowledging '
                                        'investigation and discrepancies in '
                                        'leak claims',
              'incident_response_plan_activated': 'yes (investigation '
                                                  'ongoing)'},
 'threat_actor': 'ShinyHunters',
 'title': 'AT&T Customer Data Leak Linked to ShinyHunters and Snowflake Breach',
 'type': ['data breach', 'data exfiltration']}