An online hacker last month claimed to have the personal data of 72.6 million AT&T customers. This leak reportedly includes names, addresses, mobile phone numbers, decrypted date of birth, encrypted social security numbers, and other internal information of AT&T customers. Now AT&T has confirmed the data was leaked, but AT&T says it sees no evidence the leak came from its servers as many speculate a 3rd party may have leaked the data.
With this confirmation, AT&T over the weekend announced that it would be giving customers current and past a free year of Experian’s IdentiyWorks service to help protect their online identity. If you qualify for this offer you should have received an email from AT&T. So make sure to carefully review your email before deleting it.
It is reported that data from 7.6 million current customers and 65 million former customers have been compromised. In a statement on its website AT&T said:
It has come to our attention that a number of AT&T passcodes have been compromised. We are reaching out to all 7.6M impacted customers and have reset their passcodes. In addition, we will be communicating with current and former account holders with compromised sensitive personal information.
Our internal teams are working with external cybersecurity experts to analyze the situation. To the best of our knowledge, the compromised data appears to be from 2019 or earlier and does not contain personal financial information or call history.
The data was originally put up for sale in 2021 but is now listed for free online. BleepingComputer says it has reviewed the data, and while it cannot confirm that all 72.6 million lines are accurate, it can verify some of the data contains the correct information, including social security numbers, addresses, dates of birth, and phone numbers.
Be very careful of any calls or text messages claiming to be from AT&T. With this data leaked, it can be used to create targeted attacks on AT&T customers.
So, what should you do if you are an AT&T customer who may have had their data leaked online?
Here are a few steps to follow to better protect yourself. While nothing you do can 100% protect you from an attack, or from someone to use your info against you, these actions will help mitigate the risk and make it a lot tougher for scammers.
Step 1: Look at your passwords
If you’re like many people, you tend to recycle passwords across different accounts. It’s an awful practice – but given how many accounts people juggle, it’s understandable why they’ll resort to that. If one of those passwords happens to be one caught up in a breach, a hacker potentially has access to many different accounts and services in your name.
So if you are someone who uses the same password over and over, change them!
Better yet, sign up for a password manager, which will auto-generate different, complicated passwords for all of your different accounts, leaving you to just remember the single password.
But keep in mind that even password managers can be breached, as it did with Lastpass late last year. Bitwarden offers a fairly complete version of its password management software for free, but services like 1Passworld and Dashlane also offer more bells and whistles if you’re willing to pay a premium.
Just know that they’re not immune to attacks (look at Lastpass), so you may need to be prepared to move services if one shows it can’t adequately protect you.
Step 2: Two factor authentication
Adding a second layer of protection onto your most critical accounts is also key. That usually includes two factor authentication, in which you’re sent a second, randomized password or pin number to enter on top of your standard password, further ensuring that you are, indeed, you.
This is a feature offered by all banks and many services, so take advantage of it when possible.
Many offer text message-based multi-factor authentication, but given how easily it is for your cellphone number to get exposed, security experts recommend using an app-based authentication app like Google Authenticator or Authy. For those particularly vigilant, a physical fob like one from Yubikey is the ideal solution.
Step 3: Work with the credit agencies
You can file a fraud alert with the three credit bureaus, Experian, TransUnion and Equifax. That will have the agencies contact you for verification if someone attempts to file a credit application in your name.
Keep in mind the fraud alert only lasts for a year, after which you can manually extend it yourself.
You can also request to freeze or lock your credit, which limits or restricts other businesses from accessing your credit. Keep in mind this can be a hassle if you’re doing something like signing up for internet service, since the freeze will prevent the company from accessing your information.
Step 4: Continue to monitor your credit and accounts
Even after you lock your credit down, you’ll still need to maintain an eye on your different accounts. But sometimes, that can be overly burdensome, and it’s only human nature for that vigilance to fade over time.
You can choose to sign up for a service like Norton LifeLock or American Express’s CreditSecure to keep ongoing tabs on your accounts and passwords. These services keep tabs on whether your passwords or accounts have been exposed, and give you regular updates.
At this point, it’s also good practice to look at inactive accounts, whether they’re old emails or to some retailer, and shut them down. The smaller your digital footprint, the harder it is for a scammer to notice you.
Please follow us on Facebook and X for more news, tips, and reviews. Need cord cutting tech support? Join our Cord Cutting Tech Support Facebook Group for help.