AT&T has finally confirmed that a data breach has affected 73 million current and former customers after initially denying the leaked data originated from them. This confirmation comes after the company repeatedly denied for the past two weeks that a massive trove of leaked customer data originated from them or that their systems had been breached.

While the company continues to maintain that there is no indication their systems were breached, they have now confirmed that the leaked data belongs to 73 million current and former customers. According to AT&T’s preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders.

AT&T also revealed that the security passcodes used to secure accounts were leaked for 7.6 million customers. In 2021, a threat actor known as Shiny Hunters claimed to be selling the stolen data of 73 million AT&T customers, including names, addresses, phone numbers, and, for many customers, social security numbers and birth dates. At the time, AT&T denied that they suffered a breach or that the data originated from them.

Now, in 2024, another threat actor leaked the massive dataset on a hacker forum, prompting AT&T to finally acknowledge the breach. The company’s statement, shared with BleepingComputer, confirms the severity of the breach and the impact on millions of its customers.