This week marked an unpleasant April Fools Day for some 73 million AT&T current and past customers who were notified about the theft of their Social Security Numbers, birth dates and other personal information.

As the company started urgently notifying victims via email about password resets and the extent of their privacy breach, it remains anybody's guess how many phishing campaigns will take advantage of the chaos to masquerade as legitimate messages and further victimize customers, convince them to send money or even pay a ransom.

Click image to view full article.

To be clear, the company indicated that the notifications would come via email and/or postal mail, making it difficult to determine whether one or the other should be expected. This of course presents scammers with ample opportunities to create more or less sophisticated phishing campaigns that may target customers for years to come.

Phishing or Breach Notification?

As victims receive notifications via email - or even postal mail - they can fall prey to elaborate schemes to further victimize them with requests to

  • download infected software under the guise of 'security tools'
  • sign up for credit monitoring from potentially malicious sites
  • pay up or have their information further compromised as part of an extortion scheme

The fact is, criminals know that victims are now expecting breach notification notices or if they aren't, sending them a phish that asks them to simply Google the existence of the AT&T breach will be an easy way to gain their trust.An example of extortion phishing is explained by the Canadian government's Get Cyber Safe website: "Extortion phishing messages do not offer fake incentives. Instead, they threaten you to get you provide sensitive information or money. Extortion emails will often contain some of your personal information, usually a password or another piece of private information like your date of birth. The message will state that they have more of your confidential information and will expose it online or use it unless you pay."

My personal concerns are not only for the current 7.3 million customers but also for the 64 million former AT&T subscribers who no longer have accounts to reset, yet their data was equally compromised, potentially including passwords that they shared with other sites at some point in time.

Combined with their dates of birth and social security numbers, their contact information can be used to open accounts on anything from financial sites to utility contracts, all of which carry a significant identity fraud risk for victims.

While everyone should use www.HaveIbeenPwned.com to trigger notifications about (all) their personal emails, that by itself will not be enough. Additional steps should be taken to notify credit monitoring companies and banks to ensure that additional checks and balances are required.In the immediate term, the insecurity of not knowing whether that breach notification message will send victims to a malicious site will keep victims - and their families - on their toes.

A Goldmine for Cybercriminals

I took the opportunity to ask ChatGPT what kind of identity fraud can be committed by malicious individuals with access to the lost information, including names, passwords, addresses, phone numbers, dates of birth, Social Security numbers and email addresses. Without hesitation, this is what it said: With the identity elements you've listed, various types of identity fraud can be perpetrated:

  1. Account Takeover: By acquiring someone's name and password, hackers can gain unauthorized access to their online accounts, such as email, social media, or banking accounts. Once inside, they can exploit these accounts for financial gain or other malicious purposes.
  2. Identity Theft: With access to personal information like names, addresses, dates of birth, Social Security numbers, and phone numbers, fraudsters can impersonate individuals to open new credit accounts, apply for loans, or make fraudulent purchases, potentially causing significant financial damage to the victim.
  3. Phishing and Email Scams: Email addresses can be used for phishing scams, where fraudsters send emails pretending to be from legitimate organizations, asking for sensitive information like passwords, Social Security numbers, or financial details.
  4. Account Creation: Using stolen identities, fraudsters can create new accounts or profiles on various platforms, including social media, online shopping sites, or financial institutions, which they can then use for illicit activities or to further perpetrate identity theft.
  5. SIM Card Hijacking: Phone numbers can be used for SIM card hijacking, where fraudsters convince a mobile carrier to transfer a victim's phone number to a SIM card under their control. This enables them to intercept calls, messages, and two-factor authentication codes, gaining access to various accounts.
  6. Address Fraud: Fraudsters can use stolen addresses to redirect mail containing sensitive information, such as credit card statements or government documents, to locations under their control, allowing them to intercept and misuse this information.

Overall, these identity elements can be used individually or in combination to carry out various forms of identity fraud, highlighting the importance of safeguarding personal information and being vigilant against potential scams and cyber threats.

Class Action Lawsuits

Unfortunately, the damages don't stop there. A data breach of this magnitude has triggered multiple lawsuits by current and past customers stating: "We allege AT&T knew about the vulnerability that allegedly led to this breach, but allowed it to occur by failing to act. We're also alleging AT&T exacerbated the problem by failing to acknowledge the breach had occurred until March 30 of this year, allowing customers' personal data to linger in criminal hands without their knowledge for more than two-and-a-half years."

As reported by many outlets including PC Mag and BleepingComputer, class action lawsuits such as Dean v. AT&T Inc allege that the data was stolen before August of 2021. The following is an excerpt of the complaint:
On or about August 19, 2021, a criminal hacking group called “ShinyHunters” began selling on a hacking forum a database which, according to ShinyHunters, contains Personal Customer Data of over 70 million AT&T customers.
While attempting to sell the database, ShinyHunters only revealed sample data from the compromised database, which included customers’ names, addresses, phone numbers, Social Security numbers, and dates of birth.
AT&T maintained, without providing any evidence, that the data samples leaked from the compromised database did not come from AT&T’s systems and that AT&T had not been breached. AT&T also did not confirm whether the leaked data came from a breach of a thirdparty partner’s information technology systems which may have held Private Information. ShinyHunters challenged AT&T’s denials of the Data Breach coming from AT&T or one of its third-party partners, stating “I don’t care if they don’t admit. I’m just selling.” ShinyHunters also stated that the criminal group was willing to “negotiate” with AT&T. Shortly after the 2021 Data Incident, a security researcher reported that two of the four individuals in the data samples leaked by ShinyHunters were confirmed to have accounts on att.com. AT&T did not notify any of its customers, including Plaintiff and Class Members of the 2021 Data Incident.
On or about March 17, 2024, another cybercrime actor known as “MajorNelson” posted on an Internet forum the entire dataset of the stolen database from the 2021 Data Incident, the database of which ShinyHunters attempted to sell. The data leaked by MajorNelson included the following data types from approximately 73 million individuals, inter alia: names, addresses, phone numbers, dates of birth, and Social Security numbers.
On March 19, 2024, Troy Hunt — a security researcher and the creator of the data breach notification website “Have I Been Pwned” — posted on his blog about the AT&T Data Breach. In the blog post, Mr. Hunt concluded that the leaked data from the Data Breach was authentic after he spoke with several “Have I Been Pwned” subscribers who were AT&T customers and who confirmed the accuracy of the leaked data. Moreover, Mr. Hunt noted that the Internet forum on which the leaked data was posted is not on the ‘dark web,’ but rather on the traditional Web “easily accessed by a normal web browser.” The 2021 Data Incident combined with the 2024 Data Incident (together, the “Data Breach”) caused significant harm to Plaintiff and Class Members.

You can read the rest here as this is likely to be a story to follow for months to come.