Hackers have leaked what they declare is AT&T’s database which was reportedly stolen by the ShinyHunters group in April 2024 after they exploited main safety flaws within the Snowflake cloud information platform. However is that this actually the Snowflake-linked information? We took a more in-depth look.
As seen by the Hackread.com analysis group, the info was first posted on a well known Russian cybercrime discussion board on Could 15, 2025. It was re-uploaded on the identical discussion board on June 3, 2025, after which it started circulating amongst different hackers and boards.
After analyzing the leaked information, we discovered it incorporates an in depth set of non-public info. Every of those information factors poses a critical privateness danger by itself, however collectively, they create full id profiles that might be exploited for fraud or id theft. The info consists of:
- 44 Million Social Safety Numbers (SSN) (43,989,219 in whole)
Plain Textual content and Full Social Safety Numbers (SSNs) Leaked
Right here’s the troubling half: the menace actor claims that each date of delivery and Social Safety numbers (SSNs) had been initially encrypted however have since been absolutely decrypted and at the moment are included within the leaked information as plain textual content. Put merely, in the event you’re an AT&T buyer, your SSN might be a part of this leak.
Not that it modifications a lot; your SSNs had been doubtless already uncovered within the August 2024 Nationwide Public Knowledge breach, the place a now-arrested hacker utilizing the alias USDOD, leaked over 3.2 billion SSNs and different private particulars on-line.
Background of AT&T Snowflake Knowledge Breach
AT&T has a protracted historical past of large-scale information breaches, so if this feels acquainted, you’re not imagining it. Buckle up, that is simply the newest in a rising listing.
In April 2024, as reported by Hackread.com, AT&T skilled a significant information breach when hackers accessed its Snowflake cloud setting, compromising the decision and textual content metadata of almost 110 million prospects.
The breach lasted from Could 2022 to October 2022 and included some data from January 2023, uncovered cellphone numbers, interplay counts, and name durations, although not the content material of communications or personally identifiable info.
The cyberattack was a part of a large-scale marketing campaign concentrating on over 160 Snowflake prospects. Hackers exploited stolen credentials missing multi-factor authentication to infiltrate these environments.
AT&T’s compromised information was stolen by a hacker related to the ShinyHunters group. Studies point out that AT&T paid a ransom of roughly $370,000 in Bitcoin to have the stolen information deleted, a transaction facilitated by way of an middleman referred to as Reddington.
It’s price noting that the ShinyHunters group additionally took credit score for the most important Ticketmaster information breach related to the Snowflake safety lapse by which information of 560 million customers was put to sale on-line.
In response to the breach, AT&T initiated an incident response course of with third-party cybersecurity specialists, closed the unauthorized entry level, and notified affected prospects. The corporate acknowledged that it doesn’t imagine the info is publicly accessible.
The breach prompted scrutiny from US lawmakers, with Senators Richard Blumenthal and Josh Hawley demanding explanations from AT&T and Snowflake relating to the safety lapses that led to the incident. They expressed issues in regards to the misuse of the compromised information by malicious actors.
Is that this the AT&T Database from Snowflake Breach? Not So Quick.
The menace actor behind the newest leak claims the database incorporates 70 million AT&T buyer data stolen in April 2024 by exploiting a significant safety vulnerability within the Snowflake cloud information warehouse.
“Initially one of many databases from the Snowflake breach, right here is my backup I created,” the account behind the info leak acknowledged. However does that declare maintain up? Not fairly.
Hackread.com’s evaluation reveals that the dataset really consists of greater than 88 million (88,320,018) data. After eradicating duplicates, the quantity drops to greater than 86 million (86,017,090) distinctive entries, excess of the claimed 70 million.
There’s one other difficulty. The database contents don’t absolutely match what was reported within the Snowflake-related AT&T breach. That breach reportedly uncovered almost 110 million buyer data, together with name and textual content metadata; none of which seems on this leak.
So, is that this a partial AT&T database from the Snowflake breach? Possibly, possibly not. However until AT&T formally confirms it, there’s no method to say for sure.
However, There’s Extra
In August 2021, the infamous hacking group ShinyHunters claimed to own a database containing the private info of over 70 million AT&T prospects. They listed this information on the market on the now-seized Raid Boards market, beginning at $200,000.
Hackread.com reviewed pattern data offered by the group again in 2021, which included full names, addresses, ZIP codes, dates of delivery, electronic mail addresses, and encrypted Social Safety Numbers (SSNs). AT&T responded by stating that, primarily based on their investigation, the knowledge didn’t seem to originate from their programs.
Nevertheless, in April 2024, after almost two years of denial, AT&T acknowledged the August 2021 information breach when ShinyHunters leaked the complete database on BreachForums. “Based mostly on our preliminary evaluation, the dataset seems to be from 2019 or earlier, affecting roughly 7.6 million present AT&T account holders and 65.4 million former account holders,” the corporate admitted.
Similarities and Variations Between the April 2024 AT&T Leak and the Newest One
Hackread.com has seen a number of similarities and variations between the April 2024 AT&T leak and the newest one. The April 2024 leak was a poorly structured mess. The info appeared in a loosely organized, pipe-delimited format with no area labels, making it tough to interpret or analyze with out a corresponding schema to clarify every worth.
The most recent leak is well-structured, clearly formatted, and straightforwardly divided into three CSV information, making it straightforward to know what every area represents. Apparently, the largest similarity, and distinction, between the 2 leaks is the dealing with of Social Safety Numbers (SSNs). Within the 2024 leak, the SSNs had been encrypted. Within the newest leak, nevertheless, those self same SSNs seem to have been decrypted.
Hackread.com performed an in depth evaluation and located that every one beforehand encrypted SSNs from the sooner leak have been rigorously decrypted and mapped within the new dataset, making them extra accessible for malicious use.
We additionally discovered matching buyer names, electronic mail addresses, bodily addresses, and cellphone numbers throughout each leaks. Nevertheless, whereas the 2024 leak contained round 73 million data, the newest dataset consists of 86 million.
This makes it unclear whether or not the brand new leak is solely the 2024 database with decrypted values, or if it originates from the newer Snowflake-related breach. That stated, the info seems authentic, particularly since AT&T has already acknowledged the sooner breach and information leak.
Our Conclusion
At this level, it’s tough to say with certainty whether or not the newly leaked database is a decrypted model of the 2024 Snowflake breach, a separate dump, or some mixture of each. What’s clear, although, is {that a} huge quantity of extremely delicate AT&T buyer information is circulating as soon as once more, this time in a extra organized and doubtlessly extra harmful type.
With decrypted Social Safety Numbers, full private particulars, and a rising sample of repeated publicity, the stakes for affected customers are larger than ever. Whereas AT&T has acknowledged previous breaches, the corporate has but to verify whether or not this newest dataset is a part of the identical incident or one thing new altogether.
Till a proper response is issued, sadly, unsuspecting prospects are left at the hours of darkness, counting on our report, and boards to know the scope of their publicity. However, we have now reached out to AT&T and this text will probably be up to date accordingly.
