AT&T

The Everest ransomware group claimed to have stolen **576,686 personal records** from **AT&T Careers**, the telecom giant’s official job and recruitment platform. The leaked data reportedly includes applicant and employee records, such as resumes, career-related information, and potentially sensitive personal details. The group posted the listing on its dark web leak site on **October 21**, with a **four-day countdown** before public release, restricting access behind a password. While AT&T has not confirmed the breach, the incident follows prior high-profile breaches, including a **2021 ShinyHunters attack** (70M customer records) and a **2025 leak** (86M decrypted SSNs). The Everest group, known for extorting corporations, has previously targeted companies like Coca-Cola and Mailchimp. The breach raises concerns over **employee data security**, potential **phishing risks**, and AT&T’s cybersecurity posture, especially if third-party vendors were involved. Affected individuals are advised to **reset passwords, enable MFA, and monitor financial/credit activity** for signs of misuse.

Source: https://hackread.com/everest-ransomware-att-careers-breach/

TPRM report: https://www.rankiteo.com/company/att

"id": "att2192021102425",
"linkid": "att",
"type": "Ransomware",
"date": "6/2021",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"

{'affected_entities': [{'customers_affected': '576,686 (potential '
                                              'applicants/employees)',
                        'industry': 'telecommunications',
                        'location': 'United States',
                        'name': 'AT&T',
                        'size': 'large (global enterprise)',
                        'type': 'corporation'}],
 'customer_advisories': ['Applicants/employees advised to change passwords, '
                         'enable MFA, and monitor for fraud.',
                         'Official guidance from AT&T pending.'],
 'data_breach': {'data_exfiltration': 'Claimed by Everest ransomware group',
                 'number_of_records_exposed': '576,686',
                 'personally_identifiable_information': 'Likely (e.g., names, '
                                                        'contact details, '
                                                        'resumes, possibly '
                                                        'SSNs)',
                 'sensitivity_of_data': 'High (potentially includes resumes, '
                                        'PII, career-related documents)',
                 'type_of_data_compromised': ['personal records',
                                              'recruitment data',
                                              'applicant/employee '
                                              'information']},
 'date_detected': '2025-10-21',
 'date_publicly_disclosed': '2025-10-21',
 'description': 'The Everest ransomware group claims to hold 576,686 personal '
                'records linked to AT&T Careers, the telecom giant’s official '
                'job and recruitment platform. The listing appeared on October '
                "21, 2025, on the group's dark web leak site, with a "
                'password-protected entry and a four-day countdown before '
                'public release. The data may include recruitment, applicant, '
                'or employee records. AT&T has not yet publicly confirmed or '
                'denied the breach.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'repeated breaches and lack of '
                                       'immediate public response',
            'data_compromised': ['personal records (576,686)',
                                 'potential recruitment/applicant/employee '
                                 'data'],
            'identity_theft_risk': 'High (if records include PII like resumes, '
                                   'contact details, or SSNs)',
            'systems_affected': ['AT&T Careers platform (job and recruitment '
                                 'portal)']},
 'initial_access_broker': {'data_sold_on_dark_web': 'Claimed '
                                                    '(password-protected '
                                                    'listing with 4-day '
                                                    'countdown)',
                           'high_value_targets': ['AT&T Careers platform '
                                                  '(recruitment/applicant '
                                                  'data)']},
 'investigation_status': 'Unverified by AT&T; under monitoring by Hackread.com',
 'motivation': ['financial extortion', 'data theft'],
 'ransomware': {'data_exfiltration': 'Claimed (576,686 records)',
                'ransomware_strain': 'Everest'},
 'recommendations': ['Change AT&T account passwords and avoid reuse elsewhere.',
                     'Enable multi-factor authentication (MFA) on all '
                     'accounts.',
                     'Monitor financial statements, credit files, and '
                     'communications for suspicious activity.',
                     "Beware of phishing attempts referencing 'AT&T Careers' "
                     "or 'application portal'.",
                     'Follow official AT&T channels for notifications, not '
                     'unsolicited links.',
                     'AT&T should investigate third-party vendor risks as a '
                     'potential breach source.'],
 'references': [{'date_accessed': '2025-10-21',
                 'source': 'Hackread.com',
                 'url': 'https://www.hackread.com'},
                {'date_accessed': '2025-10-21',
                 'source': 'Everest ransomware group dark web leak site'}],
 'threat_actor': 'Everest ransomware group',
 'title': 'AT&T Careers Data Leak by Everest Ransomware Group',
 'type': ['data breach', 'ransomware extortion']}