In March 2024, AT&T confirmed that a dataset containing personal information for approximately 73 million current and former customers had been leaked on a dark web forum. The data included Social Security numbers, account passcodes, names, addresses, phone numbers, and dates of birth.

What made the breach notable beyond its scale was the timeline. The dataset had reportedly been circulating since 2021, when a threat actor first claimed to have stolen it. AT&T denied the breach for three years. The company only confirmed the incident after security researchers matched the leaked data against real AT&T customer records.

The leaked passcodes — four-digit account PINs used to verify identity over the phone or online — were stored in encrypted form but were weak enough to crack. AT&T reset all affected passcodes after the breach was confirmed.

This case illustrates a problem that organizations consistently underestimate: the gap between when data is stolen and when it is discovered. Three years elapsed between the initial claim and AT&T’s formal acknowledgment. During that window, affected customers had no way to know their Social Security numbers and account credentials were already in circulation.

Breach disclosure timelines remain one of the most significant unresolved problems in consumer data protection.