May 2, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Severity
High
Analysis Summary
A threat actor leaked the data of over 70 million people on a dark web forum and claimed that it was stolen in a 2021 breach of AT&T, which the company has recently denied to be from its systems. Some of the entries in the leaked database are confirmed to be legitimate.
The data comes from an alleged 2021 AT&T data breach that a threat actor tried to sell on a data theft forum for a price of $200,000 with increments of $30,000. The cybercriminal also said to sell the data immediately for $1 million. However, AT&T has said that the data did not come from their systems and they have not been breached.
The company said, “Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems.”
To this, the threat actor replied that they don’t care whether the company admits to the breach or not, they just want to sell the data. Even now, AT&T continues to say that they still have yet to see any evidence of a breach in their systems and believe that the data didn’t arise from them. The company has not responded if the data is from a third-party service provider or vendor.
Yesterday, another threat actor leaked data from this alleged 2021 breach for free on a dark web forum and claims that it is the same data that was attempted to be sold in 2021. This data includes names, mobile phone numbers, addresses, encrypted social security numbers, encrypted dates of birth, and other sensitive information. The threat actor has also decrypted the social security numbers and birth dates to make them accessible in another file within the data leaks post.
It’s not yet confirmed if all the 70+ million lines of data are accurate, but some of the data is verified to have accurate information such as addresses, social security numbers, phone numbers, and birth dates. This was achieved by checking and verifying that many of the listed users have online AT&T accounts. Some other cybersecurity researchers have also confirmed that some of the data is accurate. However, the data for people who have been AT&T customers in 2021 or before has not been found, which wouldn’t be surprising as the company’s total mobile customer base near the end of 2021 was around 201.8 million users which shows that this data dump is only partial.
Currently, it’s still a mystery as to where all this data originated from, but all evidence points to this being the data of AT&T users. It is safe to assume that if someone has been an AT&T customer in or before 2021, their data has been exposed and can be used in targeted attacks like email or SMS phishing as well as SIM swapping attacks. It is recommended to remain vigilant in case of receiving any SMS texts or phishing emails that claim to be from AT&T and do not provide any information. Instead, it’s better to contact AT&T directly to confirm if they tried to contact you.
Impact
- Exposure to Sensitive Data
- Identity Theft
Remediation
- Regularly change passwords for all accounts.
- Use strong, unique passwords for sensitive accounts.
- Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
- Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
- Never trust or open links and attachments received from unknown sources/senders.
