AT&T Repackaged Data Leak 2025: New Risks from Old Breaches

In June 2025, the cybersecurity and legal technology sectors were jolted by the re-emergence of a massive trove of AT&T customer data on dark web forums. While headlines suggested a new breach, a closer look reveals this incident is the repackaging and enhancement of data originally stolen in earlier attacks, now more dangerous due to the full decryption and consolidation of sensitive information.

On May 15, 2025, and again on June 3, a threat actor posted what they claimed was AT&T’s customer database on a Russian-language cybercrime forum. The leak contains over 86 million unique records, including full names, dates of birth, phone numbers, email addresses, physical addresses, and nearly 44 million Social Security Numbers, all now in plain text.

Though the dark web seller claimed the data came from the 2024 Snowflake cloud breach, the exact origin of the repackaged data remains under investigation. While AT&T and cybersecurity researchers believe this is primarily a repackaged and decrypted version of records originally stolen in the 2021 ShinyHunters breach, some reports suggest the leak may also include data from the 2024 Snowflake breach or represent a combination of multiple breaches. The current dataset is more dangerous because previously encrypted fields, especially Social Security Numbers and birth dates, are now fully decrypted and directly linked to customer profiles.

AT&T stated, “After analysis by our internal teams as well as external data consultants, we are confident this is repackaged data previously released on the dark web in March 2024. Affected customers were notified at that time. We have notified law enforcement of this latest development.”

The Evolution of a Multi-Year Breach

The original breach was attributed to the ShinyHunters group in August 2021, when they claimed to possess a database containing the personal information of over 70 million AT&T customers. The group listed this data for sale on the now-seized Raid Forums marketplace, starting at $200,000. AT&T initially denied that the customer data being offered for sale belonged to it, stating that based on their investigation, the information did not appear to originate from their systems.

However, in March 2024, AT&T confirmed that data leaked from the previously denied 2021 breach did indeed belong to AT&T, acknowledging that it affected approximately 73 million current and former customers. This marked a significant reversal from the company’s initial position and represented one of the largest telecommunications data breaches on record.

The most recent leak involved combining and cleaning up previously separate files, linking decrypted Social Security Numbers and birth dates directly to customer records. While investigators continue to analyze the data sources, the consensus among cybersecurity experts is that this represents an enhanced compilation of previously stolen information rather than an entirely new breach.

Distinguishing Between Concurrent Breaches

A separate cyberattack surfaced in April 2024 when hackers exploited security flaws in Snowflake, a cloud data warehouse provider. This attack affected over 165 organizations, with AT&T among the victims. The Snowflake-related breach exposed call and text metadata for nearly 110 million AT&T customers between May 1, 2022, and October 31, 2022, along with some records from January 2, 2023. Importantly, this breach involved call logs and interaction data but did not contain personally identifiable information like Social Security Numbers.

Reports indicate that AT&T paid a ransom of approximately $370,000 in Bitcoin to have the Snowflake-related stolen data deleted. The ShinyHunters group was also associated with this Snowflake campaign, having taken credit for the major Ticketmaster data breach connected to the same security incident.

The current 2025 leak represents a dangerous evolution because it takes the 2021 ShinyHunters data and enhances it by fully decrypting previously protected fields, making complete identity profiles readily available to threat actors.

Corporate Response and Legal Implications

AT&T has reiterated that all affected customers were notified after the 2024 acknowledgment and is not planning to reissue notifications for this repackaged data. The company continues to offer credit monitoring and identity theft protection to those impacted and has notified law enforcement of this latest development.

This incident has prompted legal action against AT&T, with class-action lawsuits being filed by affected customers. While the legal proceedings are still developing and outcomes remain uncertain, the cases generally allege negligence in protecting customer data and seek financial compensation for affected individuals. The repeated security incidents and AT&T’s initial denial followed by later acknowledgment of the 2021 breach have drawn scrutiny from critics who allege inadequate security measures and transparency issues.

Customer Protection Recommendations

Customers are advised to take immediate protective measures including monitoring credit reports and financial accounts for suspicious activity, enabling multi-factor authentication on all digital accounts, and using AT&T’s online tools to check if their data was affected if they were customers during the 2021-2023 timeframe when the various breaches occurred.

Security experts particularly recommend switching from SMS-based multi-factor authentication to app-based or hardware tokens, as phone numbers can be exploited for SIM-swapping attacks. Given that both dates of birth and Social Security Numbers have been compromised, affected individuals should consider placing fraud alerts or freezing their credit reports to prevent unauthorized accounts from being opened.

Industry-Wide Implications

This incident underscores the evolving risks of legacy breach data and highlights several critical challenges facing the cybersecurity and legal technology sectors. As threat actors repackage and decrypt old datasets, the danger to individuals and organizations increases exponentially. The ShinyHunters group, which remains under investigation by the FBI, Indonesian police, and Indian police, has demonstrated a pattern of targeting major corporations and repackaging stolen data for maximum financial gain.

The case illustrates how initial data breaches can have long-lasting consequences, with stolen information becoming more dangerous over time as encryption is broken and datasets are consolidated. The ongoing uncertainty about the exact composition of the current leak—whether it represents purely repackaged 2021 data or includes elements from subsequent breaches—highlights the complex challenges facing forensic investigators and affected organizations in the aftermath of major security incidents.

The breach also raises questions about corporate transparency and the timing of breach disclosures. AT&T’s initial denial of the 2021 breach, followed by acknowledgment in 2024, and now the reappearance of enhanced data in 2025, demonstrates the extended lifecycle of major data security incidents.

For the broader cybersecurity industry, the incident reinforces the importance of continuous monitoring, robust encryption that can withstand future attack methods, and transparent communication with affected parties. As threat actors become more sophisticated in their ability to enhance and repackage stolen data, organizations must prepare for the reality that data breaches may have consequences extending far beyond their initial discovery and disclosure.

Continuous monitoring, implementation of zero-trust security models, and proactive customer communication remain essential for all data-driven enterprises seeking to protect against both initial breaches and the ongoing risks posed by legacy compromised data.