Another day, another leak. Bad actors have posted what they allege to be a massive trove of AT&T customer data, 86 million records in total. But questions loom: Is this connected to last year’s Snowflake breach? Or is it something even bigger?
The hackread.com research team first spotted the leak on 15 May 2025. It surfaced on a well-known Russian cybercrime forum, only to be reposted on 3 June. That’s when it began circulating widely across dark web channels.
The threat actor behind the dump claims it’s the same data stolen in April 2024, when the ShinyHunters group exploited Snowflake’s cloud infrastructure. AT&T’s name is once again in the spotlight.
The researchers looked deeper. What they found paints a dire picture.
What’s in the Leak?
Plenty. More than most people would be comfortable knowing.
The dataset includes:
- Full names
- Dates of birth
- Phone numbers
- Email addresses
- Physical addresses
- And most alarmingly: 44 million Social Security Numbers in plain text
Let that sink in. Not masked. Not encrypted. Fully exposed.
The attacker claims that the sensitive fields (DOBs and SSNs) were initially encrypted but have now been decrypted and dumped in plain text. If you’re an AT&T customer, your SSN might be out there.
And it’s not just speculation. Hackread.com analyzed the files. They found 86,017,090 unique customer entries, more than the 70 million claimed by the leaker. These records are neatly organized into three CSV files. Structured. Easy to read. Easy to exploit.
The Snowflake Connection, Or Is It?
Let’s rewind.
In April 2024, AT&T suffered a major breach. Malefactors infiltrated its Snowflake cloud environment and accessed metadata from calls and texts, no content, but plenty of context. Nearly 110 million records were impacted. The breach spanned from May 2022 through January 2023.
Attackers reportedly used stolen credentials, bypassed MFA, and executed a widespread campaign targeting over 160 Snowflake customers.
AT&T, under pressure, paid a ransom of $370,000 in Bitcoin to have the data deleted. The transaction was mediated by an intermediary named Reddington.
Now, the same threat actor says the new leak is a backup of that very database. But there’s a catch.
Hackread.com’s analysis shows that the leaked records do not include metadata. No call durations, no interaction counts. Just raw personal data. That doesn’t line up with what the Snowflake breach reportedly exposed.
So what are we looking at?
Possibly a separate leak. Possibly a recombination of multiple older breaches. Possibly a more dangerous evolution of past compromises.
A Pattern of Breaches
This isn’t AT&T’s first rodeo.
Back in August 2021, ShinyHunters claimed to hold data on 70 million AT&T customers. The company denied it. Then, in April 2024, AT&T reversed course and acknowledged the breach.
That 2021 dataset affected 7.6 million current and 65.4 million former account holders. It also included encrypted SSNs, which now, in this latest dump, appear to have been decrypted and exposed.
Hackread.com matched multiple fields (names, emails, addresses, phone numbers) across both leaks. It’s likely the same base data, now more dangerous.
What Makes This Leak Different?
Structure. Intent. And encryption, or lack of it.
The April 2024 leak was chaotic. A poorly formatted mess with no field labels. But the latest leak? Clean. Categorized. A hacker’s dream.
It’s not just the structure. It’s the decryption. SSNs that were once protected are now available in plain text, mapped precisely to the rest of the personal data.
“We’re all exhausted hearing about data breaches – and compromises of this magnitude can have so many root causes, and cascading failures allowing them to happen,” commented Trey Ford, Chief Information Security Officer at Bugcrowd. “AT&T, no doubt, will face difficult questioning after their latest breach. However, I think there’s a bigger question we need to be asking.”
Ford says in 2025, the United States is still relying on a static number (Social Security Number) as the universal secret identity code enabling miscreants to abuse our identity. “There are organizations selling monitoring that profit off this problem space. What will it take for us to ruin the SSN’s usefulness to bad actors, to de-value the SSN as loot to be stolen for profit – and to adopt a more meaningful, better controlled, more transparent, and FAR more secure option?”
It is time to consider the SSN a part of public record, added Ford, just like names, addresses, and phone numbers, and institute a central and federated technical control system for authenticating and authorization the use of identity records.
A Significant Risk to Identities
Thomas Richards, Infrastructure Security Practice Director at Black Duck, summed it up: “The original breach of sensitive records from AT&T was enough to worry their customers, now it poses a significant risk to their identities. With both date of birth and SSNs being compromised, malicious actors have all the information they need to commit fraud and impersonate AT&T customers. If they haven’t already, the affected users should be notified and actively monitor their credit for any signs of fraud.”
Darren Guccione, CEO and Co-Founder at Keeper Security, added: “Effective cybersecurity isn’t just about sealing off the front door, it requires vigilance in closing known security gaps and limiting damage when defenses fail. Telecom providers must take a layered approach that includes zero trust, least-privilege access and Privileged Access Management (PAM). PAM helps restrict lateral movement by securing and limiting access to critical systems, making it significantly harder for attackers to persist and minimizing the impact of a breach. By securing critical accounts, and restricting lateral movement, organizations can make it significantly harder for adversaries to maintain control over time.”
Is this the Snowflake database? Maybe part of it. Maybe not.
One thing is certain: this leak is real, and it’s dangerous. With more than 86 million detailed records and decrypted SSNs in the wild, the impact could be severe. Especially for users who have now seen their data compromised multiple times over the past few years.
AT&T has responded to Hackread.com’s inquiry with the following official statement: “It is not uncommon for cybercriminals to re-package previously disclosed data for financial gain. We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.