AT&T Data Breach: How to Make Sure Your Personal Information Is Safe

Telecommunications giant AT&T has confirmed it's investigating a massive data leak that exposed personal information on tens of millions of current and former customers.

Over Easter weekend, AT&T verified that sensitive data belonging to 73 million people was leaked on the dark web following years of rumors that a hacker had stolen large amounts of AT&T customer data. The information includes Social Security numbers and account passcodes; full names, email addresses, home addresses and more may have also been leaked.

“The data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders,” the company said in a statement posted on its website Saturday. “The company is communicating proactively with those impacted and will be offering credit monitoring at our expense where applicable.”

AT&T says it has reset affected customers' account passcodes. Passcodes are separate from passwords and are typically four digits in length. They can be used to access an AT&T account in lieu of a full password.

AT&T stock prices fell about 2.5% percent Monday morning to as low as $17.16 as the markets opened from the holiday weekend but had largely recovered as of Tuesday afternoon.

AT&T data breach: What happened this time?

According to TechCrunch, which broke the story and alerted AT&T to the breach, a hacker posted the full data set on a dark-web forum last month.

The original data breach seems to have happened in 2021 or earlier. The hacker who claimed responsibility for the breach previously posted a small portion of the stolen data on the same forum in 2021, but AT&T didn’t publicly acknowledge the breach until Saturday.

This isn’t the first data breach AT&T has dealt with. The Associated Press reports that the telecom company has experienced several breaches over the years, including one in 2014 where a rogue employee accessed personal data on about 1,600 customers.

Who was affected by the AT&T data breach?

In total, approximately 73 million people’s information was leaked on the dark web in connection with the AT&T data breach. This includes sensitive information like Social Security numbers, addresses and account information for 7.6 million current AT&T customers and over 65 million former customers, the company confirmed.

How to tell if your information was leaked

As of now, the best way to tell if your information was leaked is to wait for AT&T to contact you.

“If your information was impacted, you will be receiving an email or letter from us explaining the incident, what information was compromised, and what we are doing for you in response,” the company said on its website.

The company said it's providing free credit monitoring services to at least some of the people who were affected by the leak. Typically, credit monitoring services help people dealing with identity theft by automatically sending alerts about changes to their credit report, credit score or other suspicious activity.

How to protect your identity and sensitive data

Identity theft has been a pervasive issue in the U.S. for decades, and since the pandemic, it has worsened considerably. In 2019, the Federal Trade Commission received nearly 650,000 complaints of identity theft. In 2023, that number soared to over 1 million — an increase of 60%.

Even so, identity theft remains vastly underreported, according to Axton Betz-Hamilton, an identity theft expert and consumer affairs professor at South Dakota State University.

She previously told Money that preventing and managing identity theft takes vigilance. Once your information is out there on the dark web — as it might be with the AT&T data breach — it can be bought and sold forever.

Ideally, you should be taking steps to prevent identity theft from happening in the first place, she said. That includes using strong, unique passwords and/or a password manager; never opening emails from unfamiliar senders or answering phone calls from unknown numbers; and storing your sensitive documents like Social Security cards and birth certificates in a bank lock box (not at home).

One of the biggest strategies Betz-Hamilton recommends is that you freeze your credit with the “big three” credit bureaus: Equifax, Experian and TransUnion. There’s no charge to do this, and it prevents anyone else from opening new credit accounts in your name. And when you need to open new lines of credit, you can temporarily unfreeze your credit to do so.

(To freeze your credit, you must contact each of the bureaus individually online or by phone or mail and request them to do so. The bureaus will give you a PIN that you will need to unfreeze your credit when you need it.)

Finally, if you suspect your identity has been stolen, you should immediately pull your credit reports. You can do this for free weekly at AnnualCreditReport.com. Once you have them, review your financial statements to look for unfamiliar charges or credit accounts open under your name. If you see fraudulent accounts on your credit report, you can dispute them at no charge, and the bureaus are obligated to investigate.

You can also report identity theft directly to the Federal Trade Commission at IdentityTheft.gov.

Clarification: This story has been updated to reflect a statement from AT&T saying the origin of the data posted online is still under investigation.

More from Money:

8 Best Identity Theft Protection Services of April 2024

10 Warning Signs of Identity Theft

Best Virtual Private Network (VPN) Services