If you have an iPhone with AT&T, there's a good chance your info has been stolen

AppleInsider

AT&T is finally resetting passcodes for current customers after hackers stole a trove of customer data more than two years ago.

The vast majority of the compromised passcodes belong to some 65.4 million current and former AT&T customers. However, the company has reset passcodes for 7.6 million of its current customers, in the typical abundance of caution often cited.

The passcodes are usualy four-digit numbers used to help verify customer accounts when they are being accessed by customers or AT&T support staff. No account passwords were compromised in the breach.

Although the passcodes and other information were encrypted, it remains possible to decipher the data. In addition to the passcodes, the data leaked includes customer names, dates of birth, home addresses, phone numbers, and Social Security numbers.

The stolen data was first reported on hacker forums in 2021. AT&T denied that the hack was real -- until now.

The company continues to say that it does not have any evidence of "unauthorized access to its systems resulting in exfiltration of the data set."

It has set up a new webpage reporting the incident, with tips on how customers can keep their account secure.

"Our internal teams are working with external cybersecurity experts to analyze the situation," AT&T said in its statement. It added that the compromised data "does not contain personal financial information or call history," and the company will be offering complimentary identity theft and credit monitoring services to affected customers.



Read on AppleInsider

tht

How nice. ATT’s login page isn’t even working for me, as of this moment. Sigh. 

My cellphone and Internet expenses, all with ATT, are the second highest expense I have. $4000 per year for 7 cell lines and fiber Internet. 

I actually don’t mind it as I can see what I’m getting out of it. Auto insurance? I don’t think I’m benefitting much from it. If your rates go up after an accident, grrr…

killroy

Only four digits in the pass code good grief AT&T.

eriamjh

killroy said:

Only four digits in the pass code good grief AT&T.

The passcode is downright worthless.  Another 4-digit code to forget.  

How about 2-factor login?   How about non-socially stealable  questions (not “what street did you live on” or “what city were you born”, but something not guessable from your address or commonly posted info).

djkfisher

Well I was able to get into AT&T and I did change the password 

quazze

I hope there’s a civil lawsuit that goes into effect. Corporations should be held liable and accountable if my personal information is stolen from their possession.

anantksundaram

“Online security” in the US is such an oxymoron. 

We laugh —I do too — at the EU when it comes to tech, but I do wonder, how come we never hear about such regular breaches (on a similar scale) over there? 

(It’s honestly a serious question. Spare me the predictable hackneyed responses, please.)

ssd1400

Another example of why corporations should not be allowed to store sensitive personal information (i.e. SSN) after account established/approved.  In fact, there is NO reason for them to have your SSN in the first place, as it is NOT required for a credit check or any other business purpose.

edited March 2024

kmarei

quazze said:

I hope there’s a civil lawsuit that goes into effect. Corporations should be held liable and accountable if my personal information is stolen from their possession.

Government is so worried about the Chinese getting our data from tiktok
yet the vast majority of American companies get hacked , and all we get is "oops my bad"
And all that stolen data is sold to the highest bidder, including the Chinese 
so banning tiktok isn't about protecting our data now is it ?

badmonk

Nothing to see here folks, the Feds are too busy investigating Apple…

hammeroftruth

eriamjh said:

killroy said:

Only four digits in the pass code good grief AT&T.

The passcode is downright worthless.  Another 4-digit code to forget.  

How about 2-factor login?   How about non-socially stealable  questions (not “what street did you live on” or “what city were you born”, but something not guessable from your address or commonly posted info).

The weird thing is the passcode isn’t really used when you log into your account, it’s an extra thing they make you do when you try to upgrade your devices at their store or at an Apple Store. I turn mine off and on all the time. 

There’s more to this than just the passcode. Just give it a few more months before they’re forced to come clean. 

exceptionhandler

A company I used to work for stores the ssn in the free and clear in their database.  I also proved to them they had several SQL injection attack vectors.  Did they want to fix these things? Nope. Probably a combination of things: they didn’t care, moving too fast for their own good, fixing it wasn’t as sexy as a new feature, too cheap to pay someone to fix it, or all of the above. All of this and definitely more probably still they’re waiting to be exploited to this day.

This is why we can’t have nice, aka things that work to protect us.

Needless to say, but I no longer work there.

bluelightning

Expect more data leaks as bad actors adopt AI and quantum computing to obtain data, crack encryption and guess passwords.  

More concerned about the data stolen from several medical records breaches over the past year.  
Also, the huge uptick in spam telephone calls and phishing emails.  
Lastly, computer generated voices have become more convincing.  
If I don't recognize a number, the caller will have to leave a call back number, name and pitch for a return call (after 7 rings and a message).  
If the message is at all fishy, the voice message is deleted with no action taken.  

Had a land line and internet with AT&T 10+ years ago, no emails yet from AT&T.  
Have changed email address several times in 10+ years, so contact by email would be difficult for AT&T.  
Maybe I should change email address again, as well as changing telephone numbers (both would require updating a bunch of folks).  

Years ago (1999), the CEO of Sun Microsystems (now owned by Oracle) said something like "You have zero privacy.  Get over it."  
https://www.techspot.com/trivia/127-who-tech-ceo-1999-you-have-zero-privacy/#:~:text=Learn%20why%20this%20is%20the,Get%20over%20it.%22  

edited March 2024

chasm

The worst part of all this is that the data was stolen **in 2021** and reported on at the time here. AT&T staunchly denied the data had come from them ever since, and they are still claiming no breach now -- they've just finally owned up that the data does match their current and former records.

As mentioned above, a massive class-action lawsuit for both the breach AND their irresponsible behaviour afterwards might get them to reform their practices. It's shutting the barn door after the horse has bolted, but may prevent future large-scale data breaches.

In the meantime, take your business elsewhere if possible. And tell AT&T why you are doing that.

edited March 2024

9secondkox2

Just the DOJ “investigating” Americans using a supplied back door “vulnerability” to see how much money you have, who you’re voting for, which devices you use, and the content of your sms texts as well as the need to ban iMessage since it’s unreadable. 

Nothing to worry about…

Happy Easter! 

mike1

eriamjh said:

killroy said:

Only four digits in the pass code good grief AT&T.

The passcode is downright worthless.  Another 4-digit code to forget.  

How about 2-factor login?   How about non-socially stealable  questions (not “what street did you live on” or “what city were you born”, but something not guessable from your address or commonly posted info).

Passcode is NOT the password. It's used when someone on your account that's not you wants to upgrade their phone when you are not present.

avon b7

anantksundaram said:

“Online security” in the US is such an oxymoron. 

We laugh —I do too — at the EU when it comes to tech, but I do wonder, how come we never hear about such regular breaches (on a similar scale) over there? 

(It’s honestly a serious question. Spare me the predictable hackneyed responses, please.)

Breaches happen of course and fines are issued. Some of them are huge, others tiny but the obligations are there and the authorities take complaints seriously, no matter how small. 

Here is a good summary on what is required:

https://www.upguard.com/blog/cybersecurity-regulations-in-the-european-union

And one small example:

https://www.edpb.europa.eu/news/national-news/2024/polish-sa-administrative-fine-failure-notify-personal-data-breach_en

And a bigger one:

https://www.edpb.europa.eu/news/national-news/2021/dutch-sa-fines-transavia-poor-personal-data-security_en

Some of the biggies under GDPR (not necessarily breaches) but underscores how bad Meta still is:

https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/

edited March 2024

dewme

The concern around the passcode breach is a big deal, but it can be mitigated by changing your passcode. The worst part of this breach is the massive amount of personal data that’s been leaked not just for current AT&T customers but customers that had AT&T service anytime over the past decade. I left AT&T about 5 years ago but my personal data may have been leaked. 

Here’s the list of personal data that’s been leaked by AT&T over the past decade: (from AT&T website)

“The information varied by customer and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and passcode.”

So even if you’re a current customer and immediately change your passcode, you’re already screwed when it comes to your personal information. 

jamnap

Is ATT trying to compete with T-Mobile?  The latter has had three huge data breaches in the past five years.

jbdragon

Never give ANYONE other than your work, your SSN.  That is for the SSN only.  It's not supposed to be used to track people. It's not supposed to be a universal ID number.  Do NOT give it to the police or anyone else other than for work since they need that number or the Social Security Department when dealing with them.  You sure as hell don't give it to AT&T or any other phone company.  It doesn't matter if they request it or not.  

Also use a random computer-generated password for each website you go to.  A nice long password.  Better to also turn on 2 factor.  2 years before AT&T says something?  It's a little late by then for everyone.  You can't trust any of these companies.  Do not give out SSN for sure, but the less into you put out there on you the better.  

cia

Why did AT&T need my SSN anyway?