In yet another major cybersecurity crisis, hackers have leaked over 86 million AT&T customer records, including decrypted Social Security Numbers (SSNs). The incident raises new concerns about the long-term consequences of the Snowflake cloud platform breach and AT&T’s handling of user data across multiple known and now potentially unknown intrusions.
On May 15, 2025, a well-known Russian cybercrime forum became the first place where the newly leaked AT&T data surfaced. The dataset, reposted and shared widely by June 3, began spreading rapidly through various hacker communities. Upon analyzing the contents, researchers from Hackread.com confirmed the data includes:
- Full names
- Dates of birth
- Phone numbers
- Email addresses
- Physical addresses
- Nearly 44 million SSNs in plain text
What makes this breach especially alarming is that the SSNs were reportedly encrypted in earlier leaks but have now been fully decrypted. This elevates the threat level from mere exposure to active risk of identity theft, fraud, and impersonation.
Ties to the Snowflake Cloud Breach But Not Definitively
The leak is being attributed to the ShinyHunters hacker group, notorious for previous high-profile attacks, including the Ticketmaster breach. The group claims this dataset was obtained during the April 2024 breach of AT&T’s Snowflake cloud environment. However, that connection is not entirely clear.
The April 2024 breach exposed metadata from customer calls and texts between May 2022 and October 2022 not the personal identifiable information (PII) such as SSNs or addresses included in the most recent leak.
The hacker behind the latest leak stated, “Originally one of the databases from the Snowflake breach, here is my backup I created.” However, Hackread.com’s analysis found over 88 million total records, reduced to 86 million unique entries after removing duplicates far exceeding the 70 million figure cited by the threat actor and different from the nature of the Snowflake-stolen data.
Decryption of SSNs: A Dangerous Escalation
One of the most disturbing elements of this leak is the presence of fully decrypted SSNs, in contrast to earlier data dumps where SSNs were encrypted. According to Hackread’s research, the same encrypted SSNs seen in previous breaches have now been systematically decrypted and remapped, indicating a deeper level of criminal coordination and sophistication.
Cybersecurity expert Thomas Richards from Black Duck emphasized the threat:
“With decrypted SSNs and birth dates, attackers now have a full identity profile enough to commit credit fraud, access accounts, or impersonate victims for other malicious purposes.”
AT&T’s Response and Past History with Breaches
AT&T has had a troubled record with data security in recent years. In August 2021, ShinyHunters claimed to have leaked personal data of 70 million customers, though AT&T denied its systems were involved. That changed in April 2024, when AT&T acknowledged the breach, citing it affected 7.6 million current and 65.4 million former customers and likely originated from 2019 or earlier.
Additionally, AT&T was targeted during the massive Snowflake breach campaign that exploited stolen credentials lacking multi-factor authentication. The company reportedly paid a $370,000 ransom in Bitcoin to hackers via an intermediary to prevent the data from being released.
Compared to the April 2024 data dump which was disorganized and difficult to parse, the current leak is well-structured and segmented into three CSV files. This format makes the data easier to analyze and weaponize, posing a greater threat to affected individuals.
Hackread.com confirmed the presence of matching details including names, addresses, phone numbers, and email addresses from both leaks, though the structure and size of the dataset in the new release suggest it may be a refined or expanded version rather than a simple repackaging.
It remains unclear whether this new leak is a direct result of the Snowflake breach, a new breach, or a compilation of previous leaks with additional decrypted data. What is evident, however, is that:
- AT&T customer data is once again in circulation.
- The information is more accessible and exploitable than ever.
- Official confirmation from AT&T remains vague and limited.
In a June 4, 2025 statement to Hackread.com, AT&T responded:
“It is not uncommon for cybercriminals to re-package previously disclosed data for financial gain. We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation.”
This latest leak represents a serious escalation in the cybersecurity challenges facing AT&T and its customers. With decrypted SSNs, birthdates, and other personal data now available in a clearly organized form, millions are vulnerable to identity theft, credit fraud, and social engineering attacks.
AT&T must act swiftly to:
- Confirm the origin of the leak
- Alert impacted customers
- Offer credit monitoring and identity protection services
Until then, customers remain in the dark, left to piece together the magnitude of their exposure through unofficial channels. In an age where data is currency, this leak is a reminder of just how valuable and dangerous our digital identities have become.
