Exclusive: Hackers Leak 86 Million AT&T Records with Decrypted SSNs – Source:hackread.com

Hackers have leaked what they claim is AT&T’s database which was reportedly stolen by the ShinyHunters group in April 2024 after they exploited major security flaws in the Snowflake cloud data platform. But is this really the Snowflake-linked data? We took a closer look.

As seen by the Hackread.com research team, the data was first posted on a well-known Russian cybercrime forum on May 15, 2025. It was re-uploaded on the same forum on June 3, 2025, after which it began circulating among other hackers and forums.

After analyzing the leaked data, we found it contains a detailed set of personal information. Each of these data points poses a serious privacy risk on its own, but together, they create full identity profiles that could be exploited for fraud or identity theft. The data includes:

• Full names

• Date of birth

• Phone numbers

• Email addresses

• Physical addresses

• 44 Million Social Security Numbers (SSN) (43,989,219 in total)

Plain Text and Full Social Security Numbers (SSNs) Leaked

Here’s the troubling part: the threat actor claims that both date of birth and Social Security numbers (SSNs) were originally encrypted but have since been fully decrypted and are now included in the leaked data as plain text. Put simply, if you’re an AT&T customer, your SSN could be part of this leak.

Not that it changes much; your SSNs were likely already exposed in the August 2024 National Public Data breach, where a now-arrested hacker using the alias USDOD, leaked over 3.2 billion SSNs and other personal details online.

Background of AT&T Snowflake Data Breach

AT&T has a long history of large-scale data breaches, so if this feels familiar, you’re not imagining it. Buckle up, this is just the latest in a growing list.

In April 2024, as reported by Hackread.com, AT&T experienced a major data breach when hackers accessed its Snowflake cloud environment, compromising the call and text metadata of nearly 110 million customers.

The breach lasted from May 2022 to October 2022 and included some records from January 2023, exposed phone numbers, interaction counts, and call durations, though not the content of communications or personally identifiable information.

The cyberattack was part of a large-scale campaign targeting over 160 Snowflake customers. Hackers exploited stolen credentials lacking multi-factor authentication to infiltrate these environments.

AT&T’s compromised data was stolen by a hacker associated with the ShinyHunters group. Reports indicate that AT&T paid a ransom of approximately $370,000 in Bitcoin to have the stolen data deleted, a transaction facilitated through an intermediary known as Reddington.

It’s worth noting that the ShinyHunters group also took credit for the major Ticketmaster data breach connected to the Snowflake security lapse in which data of 560 million users was put to sale online.

In response to the breach, AT&T initiated an incident response process with third-party cybersecurity experts, closed the unauthorized access point, and notified affected customers. The company stated that it does not believe the data is publicly available.

The breach prompted scrutiny from US lawmakers, with Senators Richard Blumenthal and Josh Hawley demanding explanations from AT&T and Snowflake regarding the security lapses that led to the incident. They expressed concerns about the misuse of the compromised data by malicious actors.

Is this the AT&T Database from Snowflake Breach? Not So Fast.

The threat actor behind the latest leak claims the database contains 70 million AT&T customer records stolen in April 2024 by exploiting a major security vulnerability in the Snowflake cloud data warehouse.

“Originally one of the databases from the Snowflake breach, here is my backup I created,” the account behind the data leak stated. But does that claim hold up? Not quite.

Hackread.com’s analysis reveals that the dataset actually includes more than 88 million (88,320,018) records. After removing duplicates, the number drops to more than 86 million (86,017,090) unique entries, far more than the claimed 70 million.

There’s another issue. The database contents don’t fully match what was reported in the Snowflake-related AT&T breach. That breach reportedly exposed nearly 110 million customer records, including call and text metadata; none of which appears in this leak.

So, is this a partial AT&T database from the Snowflake breach? Maybe, maybe not. But unless AT&T officially confirms it, there’s no way to say for certain.

But, There’s More

In August 2021, the notorious hacking group ShinyHunters claimed to possess a database containing the personal information of over 70 million AT&T customers. They listed this data for sale on the now-seized Raid Forums marketplace, starting at $200,000.

Hackread.com reviewed sample records provided by the group back in 2021, which included full names, addresses, ZIP codes, dates of birth, email addresses, and encrypted Social Security Numbers (SSNs). AT&T responded by stating that, based on their investigation, the information did not appear to originate from their systems.

However, in April 2024, after nearly two years of denial, AT&T acknowledged the August 2021 data breach when ShinyHunters leaked the full database on BreachForums. “Based on our preliminary analysis, the dataset appears to be from 2019 or earlier, affecting approximately 7.6 million current AT&T account holders and 65.4 million former account holders,” the company admitted.

Similarities and Differences Between the April 2024 AT&T Leak and the Latest One

Hackread.com has noticed several similarities and differences between the April 2024 AT&T leak and the latest one. The April 2024 leak was a poorly structured mess. The data appeared in a loosely organized, pipe-delimited format with no field labels, making it difficult to interpret or analyze without a corresponding schema to explain each value.

The latest leak is well-structured, clearly formatted, and straightforwardly divided into three CSV files, making it easy to understand what each field represents. Interestingly, the biggest similarity, and difference, between the two leaks is the handling of Social Security Numbers (SSNs). In the 2024 leak, the SSNs were encrypted. In the latest leak, however, those same SSNs appear to have been decrypted.

Hackread.com conducted a detailed analysis and found that all previously encrypted SSNs from the earlier leak have been carefully decrypted and mapped in the new dataset, making them more accessible for malicious use.

We also found matching customer names, email addresses, physical addresses, and phone numbers across both leaks. However, while the 2024 leak contained around 73 million records, the latest dataset includes 86 million.

This makes it unclear whether the new leak is simply the 2024 database with decrypted values, or if it originates from the more recent Snowflake-related breach. That said, the data appears legitimate, especially since AT&T has already acknowledged the earlier breach and data leak.

“The original breach of sensitive records from AT&T was enough to worry their customers, now it poses a significant risk to their identities,“ said Thomas Richards, Infrastructure Security Practice Director at Black Duck. “With both date of birth and SSNs being compromised, malicious actors have all the information they need to commit fraud and impersonate AT&T customers. If they haven’t already, the affected users should be notified and actively monitor their credit for any signs of fraud.“

Our Conclusion

At this point, it’s difficult to say with certainty whether the newly leaked database is a decrypted version of the 2024 Snowflake breach, a separate dump, or some combination of both. What’s clear, though, is that a massive amount of highly sensitive AT&T customer data is circulating once again, this time in a more organized and potentially more dangerous form.

With decrypted Social Security Numbers, full personal details, and a growing pattern of repeated exposure, the stakes for affected users are higher than ever. While AT&T has acknowledged past breaches, the company has yet to confirm whether this latest dataset is part of the same incident or something new altogether.

Until a formal response is issued, unfortunately, unsuspecting customers are left in the dark, relying on our report, and forums to understand the scope of their exposure. Nevertheless, we have reached out to AT&T and this article will be updated accordingly.

UPDATE (June 4, 2025 – 22:49 GMT):

AT&T has responded to Hackread.com’s inquiry with the following official statement:

“It is not uncommon for cybercriminals to re-package previously disclosed data for financial gain. We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation.”

AT&T