A newly disclosed breach has shaken the cybersecurity landscape: hackers have leaked a massive dataset containing over 86 million AT&T customer records, including decrypted Social Security Numbers (SSNs).
Originally posted on a Russian cybercrime forum in May 2025 and reuploaded in early June, the dataset has now spread widely across threat actor channels.
What’s in the Leak?
The exposed records contain:
-
Full names
-
Dates of birth
-
Phone numbers
-
Email addresses
-
Physical addresses
-
Approximately 44 million decrypted Social Security Numbers
The threat actor claims that both SSNs and dates of birth were encrypted in the original source but have now been fully decrypted—indicating either a failure in encryption management or additional compromise.
Possible Connection to Previous AT&T Breaches
While AT&T has previously suffered data breaches, including the 2024 Snowflake-related breach affecting 110 million users’ call and text metadata, this incident appears different. That earlier breach reportedly did not include personally identifiable information (PII), whereas this leak includes direct identifiers, including decrypted SSNs.
The fact that the data has been decrypted and repackaged suggests the attackers had either prolonged access or have augmented previously stolen data with additional, unreported breach sources.
AT&T’s Response
AT&T has not confirmed the authenticity of the dataset but issued the following statement:
“It is not uncommon for cybercriminals to re-package previously disclosed data for financial gain. We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation.”
Guidance for Critical Path Security Clients
If your organization handles customer data—or integrates with vendors that do—this breach should be viewed as another wake-up call. Here’s what we recommend for Critical Path Security clients:
Technical Recommendations
-
Verify encryption policies: Ensure that sensitive data such as SSNs and DOBs are encrypted using modern, properly implemented cryptographic methods—at rest and in transit.
-
Audit your vendors: If you’re leveraging platforms like Snowflake or others that hold sensitive data, conduct regular audits and insist on security certifications.
-
Use tokenization: For highly sensitive identifiers like SSNs, tokenization often provides a safer approach than encryption, especially when data must remain usable but protected.
Customer-Facing Advice
If your clients may have been affected, or if you handle similar PII:
-
Proactively notify them about risks and recommend credit monitoring.
-
Encourage them to place fraud alerts or credit freezes with major credit bureaus.
-
Offer guidance on how to detect phishing emails and scams using stolen identity information.
For Your Team
-
Run internal tabletop exercises based on this breach scenario.
-
Review your breach notification and incident response policies.
-
Ensure that least privilege and segmentation controls are enforced on systems holding PII.
Final Thoughts
While AT&T works to investigate the incident, this breach highlights how quickly data can be weaponized once it leaves a secure perimeter—and the long tail of risk when encryption is compromised.
Critical Path Security stands ready to support clients in understanding their exposure, improving data security posture, and proactively defending against identity-driven threats.
References:
-
HackRead – Hackers Leak 86M AT&T Records with Decrypted SSNs
-
[AT&T Confirms 2024 Breach (via previous media coverage)]
-
[Snowflake Security Practices (Public Docs)]