Data from 73 Million AT&T Accounts Leaked: What You Can Do to Protect Yourself

AT&T on Saturday said the data of 73 million current and former customers is on the dark web. The data, including Social Security numbers, appears to be from 2019 or earlier, AT&T said in a statement, and includes personal information for approximately 7.6 million current account holders and 65.4 million former customers.

The leak first came to light in 2021, when hackers claimed they’d stolen customer data from AT&T and would put the information up for sale. Fast forward to March 2024, the stolen customer data — which may include customer names, addresses, phone numbers, Social Security numbers and dates of birth — was discovered on the dark web, according to Troy Hunt, creator of Have I Been Pwned. 

In response, AT&T said it has contacted the 7.6 million current customers and reset their passcodes. Whether you’re in the smaller set of current customers or the larger group of former account holders who think you’re data been stolen in the breach, you can take steps to potentially lessen the damage. Read on for what you can do. AT&T didn’t immediately respond to CNET’s request for comment. 

For more, here’s our picks for the best identity theft protection and monitoring services and how Consumer Report’s permission slip can help you take control of your online data. 

What to know about the AT&T data breach

AT&T on March 30 said that personal information of 73 million current and former customers — including Social Security numbers — was leaked in the middle of the month to the dark web. Bleeping Computer’s 2021 report of the leak said the stolen information also includes names, addresses, phone numbers and birth dates. AT&T said the information doesn’t appear to contain personal financial information or call history.

AT&T said the stolen information appears to from 2019 or earlier and does not know if the information came from AT&T or one of its vendors. 

How to see if your information was part of the AT&T leak

AT&T said it is contacting the 7.6 million current customers whose data was stolen and has reset their passcodes. The company said it is also communicating with the 65.4 million former account holders whose data was stolen.

You don’t have to wait for AT&T to contact you, however. Using Have I Been Pwned, you can see check if your data has been leaked. If you use store your password information in a Google account, its Password Checkup tool can alert you if your account information has been exposed. And the premium version of our favorite password manager, Bitwarden, can check for leaked passwords.

How to monitor your credit report for fraud

If you think your personal information was part of the AT&T breach you can also watch your credit reports for signs of potential fraud. 

Monitor your credit reports. You get one free credit report a year from the three major credit bureaus: Equifax, Experian and TransUnion. On your report, look for unusual or unfamiliar activity, such as the appearance of new accounts you didn’t open. And watch your credit card accounts and bank statements for unexpected charges and payments.

Sign up for a credit monitoring service. Pick a credit monitoring service that constantly monitors your credit report on major credit bureaus and alerts when it detects unusual activity. To help with the monitoring, you can set fraud alerts that notify you if someone is trying to use your identity to create credit. A credit-reporting service like LifeLock can start at $7.50 a month — or you could use a free service like the one from Credit Karma. 

What to do if you suspect you’re a victim of fraud or identity theft

As soon as you suspect your personal information has been stolen you can take action to stop unauthorized charges and start to recover your identity.

Place a fraud alert. If you suspect fraud, place a fraud alert with each of the credit reporting companies: Equifax, Experian and TransUnion. The alert notifies creditors that you have been a victim of fraud and lets them know to verify that you’re making new credit requests in your name. You can place an initial fraud alert, which stays on your credit report for 90 days, or an extended fraud alert, which stays on your credit report for seven years. Placing a fraud alert won’t affect your credit score. 

Contact fraud departments. For each business and credit card company where you think an account was opened or charged without your knowledge, contact its fraud department. While you’re not responsible for fraudulent charges to an account, you need to report the suspicious activity promptly.

Freeze your credit. If you want to stop anyone from opening credit and requesting loans and services in your name without your permission, you can freeze your credit. You will need to request a freeze with each of the three credit reporting companies, which again are Equifax, Experian and TransUnion. To apply for new credit, you need to unfreeeze your credit, again, through each of the credit reporting companies. You can either request a temporary lift of the freeze or unfreeze it permanently.

Create a recovery plan. The Federal Trade Commission has a valuable tool that helps you report identity theft and recover your identity through a personal recovery plan and Identity Theft Report, which may help you dispute charges.

Document everything. Keep copies of all documents and expenses and records of your conversations about the theft.

For more, here are our favorite password managers and the best VPN services.