Incident & Breach Response , Security Operations
After 70M Individuals' Data Leaks, AT&T Denies Being Source
Dataset Leaked for Free; ShinyHunters Cybercrime Gang First Advertised It in 2021Data breach blast from the past: An old tranche of data allegedly pertaining to 70 million AT&T customers is available for free on a hacking forum.
See Also: Gartner Market Guide for DFIR Retainer Services
America's largest wireless phone carrier has denied being the source of the leaked data since it first appeared on a related cybercrime and hacking forum in 2021.
"We have no indications of a compromise of our systems," an AT&T spokesman told Information Security Media Group in a statement. "We determined in 2021 that the information offered on this online forum did not appear to have come from our systems. This appears to be the same dataset that has been recycled several times on this forum."
Data breach expert Troy Hunt, who runs the free Have I Been Pwned breach notification service, has reviewed the leaked data set, and he found that it contains names, home addresses and phone numbers. He also found:
- 49 million unique email addresses
- 44 million alleged Social Security Numbers
- 44,000 birthdates
Hunt said he has loaded all of those exposed email addresses into HIBP, so any affected subscribers will be notified if their information was contained in the breach.
Responding to AT&T's statement that it has no evidence of a data breach, Hunt said: "The old adage of 'absence of evidence is not evidence of absence' comes to mind - just because they can't find evidence of it doesn't mean it didn't happen." But at least so far, no one has any proof to the contrary.
Bleeping Computer has confirmed with some affected individuals that nonpublic data - meaning data that attackers couldn't have scraped from either AT&T or another organization's website - appears in the data dump.
One HIBP user whose email appears in the data dump, when contacted by Hunt, said their leaked information was accurate and that they had been an AT&T customer in 2014. "That may not necessarily be confirmation that the data did indeed originate from AT&T. it could be that it came from a third-party processor they use or from another entity altogether that's entirely unrelated," Hunt said.
More information could be forthcoming. Hunt said some HIBP users employ unique email aliases for every different service they use, which can help trace the source of a breach.
The dataset first appeared in 2021 on RaidForums, where the notorious ShinyHunters group, aka Shinycorp, listed it for sale. The group made money by selling stolen data to fraudsters across such forums as RaidForums, EmpireMarket and Exploit.
Federal prosecutors said that starting in late 2019, and surging in 2020 and 2021, ShinyHunters advertised data stolen from more than 60 U.S. organizations, often harvested via phishing attacks. "Sometimes ShinyHunters threatened to leak or sell stolen sensitive files if the victim did not pay a ransom," said the U.S. Department of Justice.
ShinyHunters listed the putative AT&T data for a starting auction price of $200,000 or an immediate "buy it now" price of $1 million in 2021, and when AT&T first denied suffering a breach or being the source, ShinyHunters told Bleeping Computer: "I don't care if they don't admit. I'm just selling."
Of course, criminals lie all the time, especially when attempting to get paid.
After going quiet, ShinyHunters seemed to reappear in 2023, and that summer it announced the relaunch of BreachForums. That cybercrime forum first debuted as a spinoff of RaidForums, after law enforcement shut it down in February 2022. BreachForums shut down in March 2023 after the FBI busted its administrator, Conor Brian Fitzpatrick, aka "Pompompurin," in New York state.
At least one member of ShinyHunters is no longer at large. Authorities in June 2022 arrested Frenchman Sébastien Raoult, aka ShinyHunters member "Sezyo," at an airport in Morocco. Following his extradition to Seattle, Raoult pleaded guilty and in January 2024, the 22-year-old received a three-year prison sentence and was ordered to pay more than $5 million in restitution for committing wire fraud and aggravated identity theft.
"This is an extraordinarily serious offense," U.S. District Judge Robert S. Lasnik said at the sentencing hearing. "We're talking about him robbing people of millions of dollars."
The U.S. indictment against Raoult also named fellow French early-twentysomethings Gabriel Kimiaie-Asadi Bildstein, aka "Kuroi" and "Gnostic Players," and Abdel-Hakim El Ahmadi, aka "Zac" and "Jordan Keso" as being members of the group. Both appear to remain at large in France.