Hackers accessed personal data from 9 million AT&T customers

What just happened? Many AT&T customers recently received an email saying hackers accessed their Customer Proprietary Network Information (CPNI). Classic phishing vocabulary, but the alert isn’t a scam. Users should take steps to secure their AT&T account, including fortifying their password and filing a CPNI restriction request.

Telecom provider AT&T recently alerted customers that a cyberattack exposed some information from their accounts. No credit card data, social security numbers, passwords, or dates of birth got out, but the hack exposed some details regarding users’ phone plans.

Information at risk includes customer first names, email addresses, number of lines on accounts, device types, device upgrade eligibility, rate plan names, past due amounts, monthly payment amounts, and minutes used. The company told Bleeping Computer that the breach affected about 9 million accounts.

Hackers aimed the January attack at one of AT&T’s marketing vendors rather than the company itself. The provider didn’t identify the vendor but said the attackers exploited one of the vendor’s security vulnerabilities, which has since been patched. The company also contacted federal law enforcement as legally required, assuring customers that it didn’t share personal account information with authorities.

Impacted customers should enable additional password protections, like logging in with a PIN. A PIN will protect users’ accounts from bad actors calling AT&T and impersonating them using the personal information they obtained. Customers can also request CPNI restrictions, which limit but do not stop the company from marketing additional products to users.

Rival provider T-Mobile suffered a more significant attack in January. The breach impacted 37 million customers exposing names, billing addresses, email addresses, phone numbers, dates of birth, account numbers, and service plan information. However, no social security numbers or passwords were leaked.

The company theorized the attacker used an API to access the data starting last November until the company detected and stopped their actions on January 5. Another breach last summer affected 77 million T-Mobile customers, after which the company settled a class-action lawsuit for $350 million.

The last major cybersecurity incident involving AT&T was in August 2021, when the notorious threat actor ShinyHunters allegedly tried to sell the personal information of 70 million customers. The telecom titan denied that the data cache originated from its systems, but ShinyHunters insisted on its authenticity, offering the database for $200,000. Like the hack this January, the information may have come from one of the company’s partners.