AT&T Data Breach: What Happened, Who Was Affected, and What to Do Now

AT&T is one of the largest telecommunications companies in the United States, which makes the scale of what happened in 2024 all the more striking. That year, the company disclosed not one but two separate data breaches, together affecting well over 100 million current and former customers. One involved deeply personal information like Social Security numbers sitting on the dark web for years before AT&T acknowledged it. The other exposed the call and text records of nearly every wireless customer the company has.

If you are or were an AT&T customer, there is a reasonable chance your data was caught up in at least one of these incidents. Here is what we know about both breaches, what was taken, who did it, and what you can do.

>> Learn More: Identity Theft Protection Guide

What Happened: Two Separate Breaches in 2024

The 2024 AT&T story is actually two stories running in parallel. Understanding them separately is important because they involved different data, different timelines, and different levels of risk.

The Dark Web Breach (Announced March 2024)

In March 2024, a dataset containing personal information on approximately 73 million people was found for sale on a dark web forum. It included 7.6 million current AT&T account holders and 65.4 million former customers. The data included some combination of Social Security numbers, dates of birth, account passcodes, full names, email addresses, mailing addresses, phone numbers, and AT&T account numbers.1

AT&T initially denied that the data came from its systems, a position it had held since a hacker first claimed to have stolen it in 2021. The company finally acknowledged the breach on April 2, 2024, after a security researcher demonstrated that encrypted passcodes in the leaked dataset were easy to decipher, prompting AT&T to proactively reset passcodes for all affected current customers.

All of the compromised data in this breach is from 2019 or earlier. AT&T has said the origin of the data, whether it came directly from its own systems or from a third-party vendor, has not been conclusively determined.

The Snowflake Breach (Announced July 2024)

The second breach was disclosed on July 12, 2024, and it was larger in scope than the first, at least in terms of how many people were touched. AT&T revealed that hackers had illegally downloaded records from its workspace on Snowflake, a third-party cloud data platform, between April 14 and April 25, 2024. The stolen data covered calls and texts made by nearly all of AT&T’s wireless customers, approximately 109 to 110 million people, during a six-month window from May 1 to October 31, 2022, with a small number of records extending to January 2, 2023.2

The records exposed in this breach are different in character from the first. They did not include names, Social Security numbers, or financial information. What was taken was metadata: records of which phone numbers were called or texted, how long those calls lasted, and for some customers, cell tower identifiers that could be used to approximate location.

AT&T said it learned of the breach on April 19, 2024. The Department of Justice determined that delaying public disclosure was warranted due to potential national security concerns, which is why the breach was not publicly announced until July 12. The sensitivity of call log data in particular concerned officials. As one cybersecurity expert noted, knowing who government officials or military personnel are calling can be as revealing as the content of those calls.

Who Was Responsible?

The Snowflake breach has been attributed to a hacking group tracked under several names: UNC5537, Scattered Spider, and ShinyHunters. The attackers did not exploit a vulnerability in Snowflake’s platform itself. Instead, they obtained login credentials for Snowflake customer accounts through infostealer malware and used those credentials to log in directly, in many cases because the accounts were not protected by multi-factor authentication.

AT&T was one of at least 160 organizations targeted in this campaign. Other victims included Ticketmaster, Santander Bank, Advance Auto Parts, and Neiman Marcus.Once inside AT&T’s Snowflake environment, the attackers exfiltrated the call and text records and then contacted AT&T demanding payment. According to reporting by Bloomberg, AT&T paid approximately $370,000 in Bitcoin to have the stolen data deleted.3

Two individuals have since been charged in connection with the Snowflake campaign. Connor Moucka, a 26-year-old from Ontario, Canada, was arrested in November 2024. John Erin Binns, a 24-year-old who had been living in Turkey, was arrested separately and faces additional charges related to a 2021 T-Mobile breach. Together, the two are alleged to have accessed billions of sensitive customer records across dozens of companies and extorted at least $2.5 million from victims.

How Many Records Were Compromised?

How Were the Breaches Discovered and Resolved?

The dark web dataset first surfaced publicly in March 2024 when it appeared on a criminal forum, though the underlying breach reportedly dates to 2021 or earlier. A security researcher’s analysis of the leaked data revealed that AT&T’s account passcodes, while encrypted, used a weak enough scheme that they could be easily reversed. That discovery accelerated AT&T’s response. Within days, the company reset the passcodes of all affected current customers and began notifying those impacted.

The Snowflake breach was discovered internally on April 19, 2024, when AT&T was alerted to a threat actor’s claim of having stolen customer call logs. The company immediately activated its incident response process and brought in external cybersecurity experts. After confirming the breach, AT&T closed off the point of unlawful access to its Snowflake environment. The Federal Communications Commission opened an investigation, and the FBI and DOJ were involved from an early stage, with the Justice Department twice determining that delayed public disclosure was in the national interest before AT&T filed its SEC disclosure on July 12, 2024.

>> Learn More: Securing Confidential Personal Data Both Online and Offline

Lawsuits and the $177 Million Settlement

Both breaches triggered waves of class action litigation filed in state and federal courts across the country. The lawsuits were eventually consolidated into two separate multidistrict proceedings.

In 2025, AT&T agreed to a $177 million settlement to resolve both sets of lawsuits. The settlement was split into two pools: $149 million for customers affected by the dark web breach (announced March 2024) and $28 million for those affected by the Snowflake breach (announced July 2024). A federal judge granted preliminary approval on June 20, 2025.

Eligible customers could receive up to $5,000 for losses from the first breach and up to $2,500 for losses from the second. Those caught up in both breaches were eligible for up to $7,500. The claims deadline was November 18, 2025. AT&T denied wrongdoing in the settlement, characterizing the breaches as criminal acts carried out against the company.

It is worth noting that the stolen data has continued to circulate. In June 2025, repackaged versions of the original breach records appeared again on dark web marketplaces, with sellers combining data from multiple incidents into more complete and usable profiles. AT&T confirmed that the 2025 listings appeared to be repackaged versions of previously exposed data rather than evidence of a new breach.

What Can You Do to Check If You Were Affected?

Check Your AT&T Account Directly

Current AT&T customers can log into their account online to see whether their data was involved in either breach. Former customers who were affected by the Snowflake breach should have received a notification from AT&T by text, email, or mail that included their account number and a case number.

Use Have I Been Pwned

The free tool Have I Been Pwned (haveibeenpwned.com) allows you to enter your email address to check whether it appears in known breach databases, including the AT&T dataset. It will not tell you the specifics of every piece of data exposed, but it will confirm whether your address appears in indexed breach records.

Monitor Your Credit Reports

Given that Social Security numbers were exposed in the March 2024 breach, monitoring your credit is one of the most important steps you can take. You can pull free reports from all three major bureaus at AnnualCreditReport.com. Look for accounts or inquiries you do not recognize.

Consider a Credit Freeze

A credit freeze prevents new credit from being opened in your name without your authorization. It is free to place and lift at all three major bureaus (Equifax, Experian, and TransUnion) and is one of the most effective tools for preventing identity theft when your Social Security number has been exposed.

Watch for Phishing and Impersonation Attempts

The call metadata exposed in the Snowflake breach gives criminals detailed information about your communication patterns, including who you call frequently and when. That makes targeted social engineering much easier. Be skeptical of unsolicited calls or texts claiming to be from AT&T, your bank, or family members, and never share personal information or one-time codes over the phone with someone who called you.

Reset Your AT&T Passcode and Account Password

Even if AT&T reset your passcode proactively after the March 2024 breach, it is a good idea to set a new one yourself and to make sure your account password is strong and unique. If you reused your AT&T credentials on other sites, change those passwords as well.

>> Check Now: How Secure Is My Password?

A Note on Your Data Beyond the Breach

Something worth understanding about breaches of this scale is that the data does not disappear. It gets repackaged, traded, combined with records from other incidents, and recycled through criminal marketplaces for years. Even customers who have already taken protective steps may find their information continues to surface in new contexts.

That is part of why reducing your data footprint matters even after a breach has been resolved. A service like Incogni works by sending removal requests to data brokers on your behalf, targeting the databases that aggregate and sell personal information. It will not undo a breach, but it can help limit how much of your data remains accessible to people looking to build a profile on you. Given how long AT&T breach data has already been circulating, it is worth thinking about.

The Bottom Line

The AT&T breaches of 2024 were among the most significant data security incidents in recent U.S. history. Between the two events, data from more than 100 million current and former customers was compromised, covering everything from Social Security numbers to the intimate details of who people called and texted over a six-month period. Two individuals have been arrested in connection with the Snowflake breach, a $177 million settlement has been reached, and AT&T has said it has closed the access points that were exploited.

But the data is still out there. If you were an AT&T customer at any point before 2020, or had wireless service between May and October 2022, treating your information as potentially compromised is the most prudent approach. The steps above are practical starting points, and none of them require technical expertise to complete.