AT&T has begun notifying U.S. state authorities and regulators of a security incident after confirming that millions of customer records posted online last month were authentic.
In a legally required filing with Maine’s attorney general’s office, the U.S. telco giant said it sent out letters notifying more than 51 million people that their personal information was compromised in the data breach, including around 90,000 individuals in Maine. AT&T also notified California’s attorney general of the breach.
AT&T — the largest telco in the United States — said that the breached data included customers’ full name, email address, mailing address, date of birth, phone number and Social Security number.
Leaked customer information dated back to mid-2019 and earlier. According to AT&T the records contained valid data on more than 7.9 million current AT&T customers.
AT&T took action some three years after a subset of the leaked data first appeared online, which prevented any meaningful analysis of the data. The full cache of 73 million leaked customer records was dumped online last month, allowing customers to verify that their data was genuine. Some of the records included duplicates.
The leaked data also included encrypted account passcodes, which allow access to customer accounts.
Soon after the full dataset was published, a security researcher notified TechCrunch that the encrypted passcodes found in the leaked data were easy to decipher. AT&T reset those account passcodes after TechCrunch alerted AT&T on March 26 to the risk posed to customers. TechCrunch held its story until AT&T could complete the process of resetting affected customer passcodes.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
AT&T eventually acknowledged that the leaked data belongs to its customers, including about 65 million former customers.
Companies experiencing data breaches that affect large numbers of people are required to disclose the incident with U.S. attorneys general under state data breach notification laws. In its notices filed in Maine and California, AT&T said it is offering identity theft and credit monitoring to affected customers.
AT&T has still not identified the source of the leak.
