AT&T's March 30, 2024 disclosure turned a long-disputed data set into a customer-account security incident. AT&T said preliminary analysis showed the records appeared to be from 2019 or earlier and affected roughly 73 million current and former account holders: about 7.6 million current accounts and 65.4 million former accounts. The company said it did not have evidence of unauthorized access to its systems and was still assessing whether the data originated from AT&T or one of its vendors.
The account-control risk sits in the data categories. AP reported that the exposed information could include Social Security numbers, passcodes, email and mailing addresses, phone numbers and birth dates, while AT&T said the data did not appear to include financial information or call history. Passcodes matter because they are account PINs used for customer support, retail account management and online account access. AT&T said it reset passcodes for the 7.6 million current customers whose passcodes were compromised.
The state-notice record narrows the consumer-protection angle. The Maine Attorney General notice lists AT&T's filing with 51,226,382 total persons affected for that notice, 89,842 Maine residents affected, March 26, 2024 as the listed occurrence and discovery date, April 10, 2024 as the written consumer-notification date, Social Security number as an acquired data category and 12 months of Experian IdentityWorks offered. That filing does not replace AT&T's 73 million account-holder estimate; it shows the regulatory notice surface tied to sensitive personal information.
The uncertainty should remain visible. BleepingComputer reported that the data resembled an older data set previously advertised in 2021, while Reuters reported AT&T's position that the incident had not had a material impact on operations. The public record supports the account-holder scope, passcode reset, sensitive-data risk and notification response. It does not prove a specific threat actor, exact initial-access path, vendor responsibility, final misuse level or a regulator enforcement outcome.

