 Last week AT&T made this post on the new section of their website titled AT&T addresses recent data set released on the dark web. As you can see the date of this post is March the 30th 2024. The big problem here though is that this AT&T data set which includes information like the names, addresses, phone numbers and social security numbers for over 70 million current and former AT&T customers has been floating around on the dark web for about three years now. But only recently did it get released publicly for literally anyone to download. Two weeks ago a thread was posted to our friendly neighborhood dark web hacker forum that may or may not be an FBI Honeypot after Pom Pom Perrin got arrested in New York last year. But anyway, this post was made titled AT&T 70 Mill Database 2021. That's right. This data is originally from 2021 and like I said the people whose private information is in this database are only just now finding out about it. So the data was originally posted by a username shiny hunters who was trying to sell the database. That's a pretty common thing in these hacker communities. People will try to sell breached data to other hacker man's who want to use them for different kinds of fraud. I mean, you've got to imagine that if you've got a database with names, birthdays, social security numbers and addresses for all these people then you could probably open up some credit cards in their names, apply for loans or impersonate AT&T and convince someone to pay an overdue bill with some Google Play cards or some Bitcoin I mean the possibilities are endless. But as things tend to go in the data trade, this data gets cheaper as it ages because people make copies of the database and they sell it for cheaper in other places. Some of the victims might have already been exploited by the data leak and now they're gonna be harder to exploit in the future. Which is where we end up getting posts like this from Major Nelson where they just give away the data for free that someone may have once paid thousands of dollars for or maybe they got it for free from a more obscure dark web forum because this is still one of the most popular ones even though it may or may not be an FBI honeypot and how that its original owner was arrested. But this user here definitely got something out of it. They got some reputation points. I mean they literally gained like 30 reputation points for this post alone. But AT&T on the other hand should really lose some reputation points because just as recently as March 17th, the same day that this leak was posted to our favorite FBI honeypot, AT&T themselves were denying that the leak even came from their systems. They've been denying this data breach since August 2021 when shiny hunters was trying to auction it off and they only admitted to this data breach when the data essentially became publicly available. For the past three years at least one cybercriminal has had access to this database and it's because of these lies and really AT&T's failure in the first place to secure this customer data that different lawsuits are being filed against AT&T now. And if you're an AT&T customer you really should be following this class action lawsuit to see if you'll be entitled to some compensation in the future because this is a ridiculous fail in protecting users data. There were samples of the data that were made publicly available back in 2021 with the original post. I mean that's just part of the whole black market data sales process. People have to make some of the data publicly available so others can look at it and try to figure out whether it's legit or not. So AT&T could have easily accessed the forum. I mean it was actually easier to access before you know the new owners took over it but they could have accessed it. They could have verified the sample data in their systems and then they could have taken a proactive approach three years ago to warn their customers of this breach so that they could have gotten identity theft protection, changed their emails, their phone numbers, credit card numbers, or take whatever measures they see necessary. But instead of doing that AT&T chose to just say not on because the full database was behind a heckin' paywall on the dark web. It's not like anyone's actually gonna see it and I still don't know if AT&T has directly reached out to the victims of this to tell them what happened. I guess comment below if you're a customer and you've gotten an email from them because I'm not an AT&T customer. Thank goodness. But one I guess good thing that AT&T did do which turned out to be very much necessary was they reset everybody's account passcodes. Now the account passcode in this case is necessary to do different things with your AT&T account. It's similar to a transfer pin that you would have to give them to transfer your phone number to a new SIM card which is how SIM swap attacks are typically done by the way. Now the reason these passcodes had to be reset is because they were listed in the database but in an encrypted format. Now if we take a look at the about your AT&T passcode section on their website they tell us right here that it is a four digit AT&T passcode and when you tell a normie that they have to come up with a four digit passcode 90% of the time that code is going to be something like their date of birth or the last four digits of their social security number their street number part of their phone number something that's pretty easy for you to figure out and what do you know all of that data is in plain text right next to the encrypted passcode. Well technically the birthdays are encrypted to in this master file which is what pretty much contains everything but there's this other file called DOB 1 that contains key value pairs for every single birthday going from 1, 1, 1900 to 12, 31, 2016 so these values can be translated pretty easily and the cherry on top of this information security fail cake is that it appears AT&T didn't properly salt their passcodes that's right out of 70 million entries there's only 10,000 or so unique passcodes because AT&T only lets you use four digits for the passcodes and they don't put no season in on their password hashes so you could just use the plain text data and the knowledge of how people choose passcodes to deduce what these encrypted passcodes are without ever actually breaking their encryption scheme and even though AT&T prompted people to change their passcodes their new code is probably still something that's pretty easily figured out especially with all the data that's in this leak like okay best case scenario maybe someone changed their passcode to their spouse's birthday but chances are that person uses AT&T as well they probably live at the same address as your target so that data is going to be in the leak as well and pretty easy to find my guess is that people are going to be victimized from this leak for years to come so if you're an AT&T customer you really should keep an eye out for identity theft obviously don't reuse that passcode anywhere and if you're ever forced to create a really insecure passcode like that you know for digit numeric only passcode try your damnedest to not use something as obvious as the last four digits of your social security number or your date of birth or your spouse's date of birth or you know something that can easily be found in a database leak like this or through some social engineering but really I think all cell phone carriers should go towards using these more secure passcodes there's some that I've seen and you know other people analyzing this have seen some that appear to be a little bit longer so maybe it is possible to create passcodes longer than four digits with AT&T but I've been with a couple different cell phone providers and it seems like they always either limit you to four digits or they encourage you to make the passcode only four digits so yeah should probably stop doing that we should probably start creating transfer pins that are at least eight digits alpha numeric so that you know we're not going to get pwned by stuff like this but if you enjoyed this video please like it and share it to hack the algorithm and check out my online store based on when where you can get awesome merch like the tie-dye tour team the come and find it hoodie and you can get accessories for your phone and laptop 10 discount at checkout when you pay in Monero XMR have a great rest of your day