Yet, today, I received email from what appears to be a legitimate AT&T address titled " Keeping Your Account Secure" advising me my AT&T passcode (and possibly other information) has been compromised and that AT&T has proactively changed my passcode.
Further deepening the mystery, I’m able to sign into my AT&T account using the credentials (username and password) stored in Bitwarden with no mention of my AT&T passcode being reset. So, my AT&T passcode is different from my AT&T password?
This is all suspiciously coincidental. I’ll take the precaution of changing my AT&T password stored in Bitwarden and won’t be replying to the email I received not that it suggested I should.
Of course, AT&T (presumably) had to add this in its email:
We take cybersecurity very seriously and privacy is a fundamental commitment at AT&T.
Well, then I suggest AT&T take privacy and security more seriously.
Edited to Add:
An AT&T passcode is indeed different from an AT&T password. Most would call what AT&T calls a passcode a PIN. AT&T passcodes apply to wireless accounts only, which explains why I’m able to sign into my AT&T account without it. Though I was an AT&T Wireless customer in the distant past, currently, I only have AT&T Internet.
But; ugh, among the possibly compromised information is my SSN and date of birth. I’m not happy AT&T.
Yes, apparently, the data was breached in 2019. AT&T says it does not know if the data came from its systems or from a third party vendor AT&T shared the information with. Either way, it’s AT&T’s responsibility to attempt making matters right for its customers and former customers.
The above image is snipped from a site I’ve mentioned previously: Have I Been Pwned. Given the nature of potentially compromised data, this breach is particularly bad.
AT&T says not all affected customers and former customers had “sensitive” data compromised but, as far as I know hasn’t yet notified those impacted precisely which of their data was compromised. AT&T needs to stop stonewalling and get on with it.
According to AT&T, some 70 million folks are affected. The question is to what extent? Apparently, some but not all of those 70 million or so folks have had what AT&T refers to as “sensitive personal” information compromised.
Further, according to AT&T, those whose “sensitive personal” information has been compromised will be further contacted by mail or email beyond the email we’ve already received but no timeline for that has been given. Meanwhile, I guess no news is to be seen as good news.
Yeah, WalletHub is taking the opportunity to suggest I might want to upgrade to their premium (paid) service.
AT&T is promising to pay for credit monitoring for those whose “sensitive personal” information was compromised but I haven’t seen anything indicating they’ve begun contacting anyone beyond the initial email.
The fact AT&T initially denied the data originated with them whether the breach itself did or not is not confidence inspiring.
After 12 days of silence from AT&T, it turns out no news was not good news. Today, I received a follow-up email indicating my “personal sensitive” information was indeed compromised.
While “to the best of their knowledge”, no financial information was disclosed, I am being provided with the obligatory one year free identity theft protection from Experian. Ah, the irony of that.
It is comforting to know that AT&T considers me to be a valued customer and that they take the privacy and security of my personal information seriously (which, of course, they didn’t).
I believe I’ve been provided with free credit monitoring on at least three occasions in the last year. One from a breach of one of our suppliers at work, one from a breach of a health provider, and I forget the third.
I get it, these things happen, but AT&T has been stonewalling this particular breach for four years. A subset of the breached information first appeared on the dark web in 2019. At the time, AT&T denied any involvement.
Now that the information has resurfaced, AT&T still says they’re unsure whether it was their systems that were breached or those of a third party vendor with whom they shared information. Among the potentially compromised info are social security numbers. For what purpose would any company need to share my social security number with a third party (other than a credit bureau and there’s no indication from AT&T the rumored third party is a credit bureau)?
I’ll take the precaution of changing my AT&T password stored in Bitwarden and won’t be replying to the email I received not that it suggested I should.
