Repackaged AT&T Data Leak Exposes 49M Users with Linked SSNs and Birthdates

A threat actor has re-released data from a 2021 AT&T breach, now combining previously separate datasets to directly link Social Security numbers (SSNs) and birthdates to 48.9 million phone numbers. The repackaged data, which appeared on a Russian hacking forum in 2025, falsely claimed ties to the 2024 Snowflake breach. After deduplication, the leak impacts 86 million unique records, exposing unencrypted personally identifiable information (PII). This incident highlights persistent risks from historical breaches when data is recombined for enhanced exploitation.

Key Details of the Repackaged Breach

The re-released dataset originates from AT&T’s 2021 breach, initially attributed to the ShinyHunters group, which compromised 70 million customer records. The 2025 iteration merges previously isolated data fields, creating a more dangerous composite: phone numbers paired with SSNs and dates of birth. Security researchers confirmed the data’s authenticity through cross-referencing with AT&T’s internal records and prior breach disclosures. The dataset includes fields unique to AT&T customers, such as account PINs and device IMEIs, increasing its utility for identity theft.

BleepingComputer first reported the forum post where the actor marketed the data as “fresh,” despite its 2021 provenance. The inclusion of cell-tower location data from AT&T’s 2024 call records breach enables geolocation tracking of affected users. AT&T has not confirmed whether this specific dataset came from their systems or a third-party vendor, though the presence of proprietary fields suggests direct extraction.

Broader Impact and Historical Context

This incident compounds AT&T’s recent security challenges, including a separate 2024 dark web leak affecting 73 million current and former customers. That breach exposed data from 2019 or earlier, prompting AT&T to offer credit monitoring services. Legal filings reveal that 73 million customers are now part of a class-action arbitration case alleging delayed breach investigation and inadequate safeguards.

The table below summarizes AT&T’s major breaches since 2021:

| Year | Records Exposed | Data Types | Source |
|——|—————–|————|——–|
| 2021 | 70M | Phone numbers, email addresses | ShinyHunters breach |
| 2024 | 73M | Names, physical addresses, passcodes | Dark web leak |
| 2025 | 48.9M | SSNs, DOBs linked to phone numbers | Repackaged 2021 data |

Mitigation Strategies for Affected Organizations

For security teams handling fallout from this breach, we recommend:
1. **Credential Monitoring**: Deploy tools like Have I Been Pwned Enterprise to detect compromised employee or customer credentials.
2. **Phishing Simulations**: Test organizational resilience against targeted campaigns using the exposed PII combinations.
3. **IAM Review**: Audit identity systems for weak authentication points, especially where phone numbers serve as secondary factors.

Troy Hunt’s analysis notes that mobile virtual network operators (MVNOs) using AT&T’s infrastructure, such as Cricket Wireless, may face secondary exposure. Federal investigators have reportedly delayed public notifications to preserve evidence trails, according to AP News.

Conclusion

The repackaging of historical breach data into more exploitable formats represents an evolving threat model. Security teams should prioritize:
– **Data lineage tracking** to identify downstream impacts of past breaches
– **Behavioral analytics** to detect anomalous activity using old PII
– **Vendor audits** for third parties storing legacy customer data

AT&T’s cascading breaches demonstrate how insufficient remediation of initial incidents can enable long-term risks. The 2025 repackaging incident will likely fuel fraud campaigns for years due to the immutable nature of SSNs and birthdates.