Millions of AT&T customers will have to create new passcodes for their accounts after troves of personal customer data were leaked to the dark web.
A data set containing passcodes for 7.6 million current AT&T customers and 65.4 million former customers was leaked online, the company said in a statement on Saturday.
The passcodes—numerical pins that are an extra layer of security for AT&T accounts—were released online alongside select personal data such as full names, addresses, email addresses, phone numbers, social security numbers, and birth dates, AT&T said.
“Our internal teams are working with external cybersecurity experts to analyze the situation,” the company said in a statement. “To the best of our knowledge, the compromised data appears to be from 2019 or earlier and does not contain personal financial information or call history.”
Three years ago, a hacker claimed to have accessed 73 million AT&T customer records, but only released a small sample of them at the time that were hard to authenticate. Two weeks ago, the full data set leaked, but AT&T said then that there was no breach to its systems.
In its statement released over the weekend, AT&T maintained there was no unauthorized access to its systems, and said the source of the customer data was unknown.
“[I]t is not yet known whether the data in those fields originated from AT&T or one of its vendors,” the company said.
The passcode reboot over the weekend was first reported by TechCrunch, which delayed publication while AT&T reset its customer accounts. This is the first time the company acknowledged that the leaked data belonged to its customers, according to TechCrunch.
The master passcode reset comes after an hours-long service outage in February that left some customers irritated after the company offered them a $5 credit to make up for it.
Shares of AT&T fell as much as 2.4% in Monday morning trading before rebounding. The company’s stock was down less than 1% as of publication.