Updated with comment from AT&T.
A well-known hacker (or hackers) says they've stolen the personal data of 70 million AT&T customers, including names, addresses, Social Security numbers, phone numbers and dates of birth.
In a statement to Bleeping Computer (opens in new tab), however, AT&T said that it had looked into the claim and concluded that the data "does not appear to have come from our systems."
- What data breaches are and how they can hurt you
- The best identity theft protection services
- Plus: T-Mobile data-breach website lets anyone sign up for ID-theft protection
ShinyHunters, the hacker(s) auctioning the data online, insists that the data is the real thing.
"It doesn't surprise me," ShinyHunters told RestorePrivacy.com (opens in new tab). "I think they will keep denying until I leak everything."
If the data is real — and it could still be real even if it didn't come from AT&T's servers — then those 70 million people are in dire danger of identity theft.
The stolen personal information is all an identity thief would need to open accounts in other people's names, pose as them in job applications, or get identification documents such as driver's licenses.
RestorePrivacy said at least some of the data samples they had seen appeared to be real, and an unnamed security expert told Bleeping Computer the same.
This news comes just a few days after the revelation of a data breach at rival phone company T-Mobile, which compromised the names, addresses, dates of birth and Social Security numbers of at least 48 million people. T-Mobile has confirmed the incident.
Get ready to do these things
Regarding the supposed AT&T breach, we would normally advise anyone affected by such a serious incident to put fraud alerts on their files with the Big Three credit-reporting agencies Equifax, Experian and TransUnion.
We'd also ask affected individuals to consider instituting credit freezes with the Big Three, although doing so can complicate getting a loan or opening new payment accounts.
If AT&T confirms a breach of its systems, it will offer identity theft protection to affected users. If you're one of those users, take up the company on its offer.
But because we don't yet know whether this claim of an AT&T data breach is valid, it might be premature to act without further information.
ShinyHunters' standard mode of operation is to steal data and offer to sell it in cybercriminal marketplaces. If there are no takers, then ShinyHunters posts the data online for free.
In the past couple of years, he, she or they have broken into databases belonging to at least 40 companies, although few are household names.
ShinyHunters has implied that the breached companies can sometimes buy the data back, and indeed they told RestorePrivacy that they were willing to come to such an "arrangement" with AT&T.
More importantly, ShinyHunters' claims of data theft almost always turn out to be true. AT&T customers should hope this claim turns out not to be.
Tom's Guide has reached out to AT&T for comment and clarification, and we will update this story when we receive a reply.
Update: AT&T responds
AT&T responded to our query with the same statement that was given to Bleeping Computer:
"Based on our investigation, the information that appeared in an internet chat room does not appear to have come from our systems."
Our AT&T contact added that the company could not speculate on where the data had come from, or whether it was real.