Hackers leak data of 88 million AT&T customers with decrypted SSNs; latest breach raises questions about links to earlier Snowflake-related attack.
Hackers have leaked what they claim is AT&T’s database which was reportedly stolen by the ShinyHunters group in April 2024 after they exploited major security flaws in the Snowflake cloud data platform.
As seen by the Hackread.com research team, the data was first posted on a well-known Russian cybercrime forum on May 15, 2025. It was re-uploaded on the same forum on June 3, 2025, after which it began circulating among other hackers and forums.
After analyzing the leaked data, we found it contains a detailed set of personal information. Each of these data points poses a serious privacy risk on its own, but together, they create full identity profiles that could be exploited for fraud or identity theft. The data includes:
- Full names
- Date of birth
- Phone numbers
- Email addresses
- Physical addresses
- 44 Million Social Security Numbers (SSN) (43,989,219 in total)
Plain Text and Full Social Security Numbers (SSNs) Leaked
Here’s the troubling part: the threat actor claims that both date of birth and Social Security numbers (SSNs) were originally encrypted but have since been fully decrypted and are now included in the leaked data as plain text. Put simply, if you’re an AT&T customer, your SSN could be part of this leak.
Not that it changes much; your SSNs were likely already exposed in the August 2024 National Public Data breach, where a now-arrested hacker using the alias USDOD, leaked over 3.2 billion SSNs and other personal details online.
Background of AT&T Snowflake Data Breach
AT&T has a long history of large-scale data breaches, so if this feels familiar, you’re not imagining it. Buckle up, this is just the latest in a growing list.In April 2024, as reported by Hackread.com, AT&T experienced a major data breach when hackers accessed its Snowflake cloud environment, compromising the call and text metadata of nearly 110 million customers.
The breach lasted from May 2022 to October 2022 and included some records from January 2023, exposed phone numbers, interaction counts, and call durations, though not the content of communications or personally identifiable information.
The cyberattack was part of a large-scale campaign targeting over 160 Snowflake customers. Hackers exploited stolen credentials lacking multi-factor authentication to infiltrate these environments.
AT&T’s compromised data was stolen by a hacker associated with the ShinyHunters group. Reports indicate that AT&T paid a ransom of approximately $370,000 in Bitcoin to have the stolen data deleted, a transaction facilitated through an intermediary known as Reddington.
It’s worth noting that the ShinyHunters group also took credit for the major Ticketmaster data breach connected to the Snowflake security lapse in which data of 560 million users was put to sale online.
In response to the breach, AT&T initiated an incident response process with third-party cybersecurity experts, closed the unauthorized access point, and notified affected customers. The company stated that it does not believe the data is publicly available.
The breach prompted scrutiny from US lawmakers, with Senators Richard Blumenthal and Josh Hawley demanding explanations from AT&T and Snowflake regarding the security lapses that led to the incident. They expressed concerns about the misuse of the compromised data by malicious actors.
Is this the AT&T Database from Snowflake Breach? Not So Fast.
The threat actor behind the latest leak claims the database contains 70 million AT&T customer records stolen in April 2024 by exploiting a major security vulnerability in the Snowflake cloud data warehouse.“Originally one of the databases from the Snowflake breach, here is my backup I created,” the account behind the data leak stated. But does that claim hold up? Not quite.
Hackread.com’s analysis reveals that the dataset actually includes more than 88 million (88,320,01
records. After removing duplicates, the number drops to more than 86 million (86,017,090) unique entries, far more than the claimed 70 million.There’s another issue. The database contents don’t fully match what was reported in the Snowflake-related AT&T breach. That breach reportedly exposed nearly 110 million customer records, including call and text metadata; none of which appears in this leak.
So, is this a partial AT&T database from the Snowflake breach? Maybe, maybe not. But unless AT&T officially confirms it, there’s no way to say for certain.
But, There’s More
In August 2021, the notorious hacking group ShinyHunters claimed to possess a database containing the personal information of over 70 million AT&T customers. They listed this data for sale on the now-seized Raid Forums marketplace, starting at $200,000.Hackread.com reviewed sample records provided by the group back in 2021, which included full names, addresses, ZIP codes, dates of birth, email addresses, and encrypted Social Security Numbers (SSNs). AT&T responded by stating that, based on their investigation, the information did not appear to originate from their systems.
However, in April 2024, after nearly two years of denial, AT&T acknowledged the August 2021 data breach when ShinyHunters leaked the full database on BreachForums. “Based on our preliminary analysis, the dataset appears to be from 2019 or earlier, affecting approximately 7.6 million current AT&T account holders and 65.4 million former account holders,” the company admitted.
Similarities and Differences Between the April 2024 AT&T Leak and the Latest One
Hackread.com has noticed several similarities and differences between the April 2024 AT&T leak and the latest one. The April 2024 leak was a poorly structured mess. The data appeared in a loosely organized, pipe-delimited format with no field labels, making it difficult to interpret or analyze without a corresponding schema to explain each value.The latest leak is well-structured, clearly formatted, and straightforwardly divided into three CSV files, making it easy to understand what each field represents. Interestingly, the biggest similarity, and difference, between the two leaks is the handling of Social Security Numbers (SSNs). In the 2024 leak, the SSNs were encrypted. In the latest leak, however, those same SSNs appear to have been decrypted.
Hackread.com conducted a detailed analysis and found that all previously encrypted SSNs from the earlier leak have been carefully decrypted and mapped in the new dataset, making them more accessible for malicious use.
We also found matching customer names, email addresses, physical addresses, and phone numbers across both leaks. However, while the 2024 leak contained around 73 million records, the latest dataset includes 86 million.
This makes it unclear whether the new leak is simply the 2024 database with decrypted values, or if it originates from the more recent Snowflake-related breach. That said, the data appears legitimate, especially since AT&T has already acknowledged the earlier breach and data leak.
Our Conclusion
At this point, it’s difficult to say with certainty whether the newly leaked database is a decrypted version of the 2024 Snowflake breach, a separate dump, or some combination of both. What’s clear, though, is that a massive amount of highly sensitive AT&T customer data is circulating once again, this time in a more organized and potentially more dangerous form.With decrypted Social Security Numbers, full personal details, and a growing pattern of repeated exposure, the stakes for affected users are higher than ever. While AT&T has acknowledged past breaches, the company has yet to confirm whether this latest dataset is part of the same incident or something new altogether.
Until a formal response is issued, unfortunately, unsuspecting customers are left in the dark, relying on our report, and forums to understand the scope of their exposure. Nevertheless, we have reached out to AT&T and this article will be updated accordingly.
