Advertisement
This is member-exclusive content
icon/ui/info filled

newsWatchdog

How did a Dallas man know AT&T had an apparent data breach 10 days before AT&T said so?

You can check for free to see if your information is for sale on the dark web.

Avi Adelman of Dallas contacted me early one morning to report that his AT&T account was hacked and for sale on the dark web of the internet.

Could it be true? AT&T had said nothing about a data breach. The Watchdog began fact-finding.

Why This Story Matters
When an AT&T data breach happens, it can affect millions of customers. A Dallas man shows us a website where you can, for free, see if you are a data breach victim.

Adelman subscribes to a free protection service called Have I Been Pwned. The website explains that pwned derives from the word owned and is used to imply that someone has been controlled or compromised.

Advertisement

The day he called me, he woke up to an email from the pwned website with this subject line: “You’re one of 49,102,176 people pwned in the alleged AT&T data breach (unverified).”

Watchdog Alert

Are you a taxpayer in Texas? The Watchdog has your back.

Or with:

The message said the breach was of 2021 data and included names, birthdates, phone numbers, Social Security numbers and addresses.

“I don’t recall either reading about this data breach, or getting a notification from AT&T,” he said.

Advertisement

I contacted AT&T and later that night was told there was no breach. Inquiries had come from bloggers and cybersecurity media sites, but the story hadn’t hit major media. Not yet.

I was given this statement: “We have no indications of a compromise of our systems. We determined in 2021 that the information offered on this online forum did not appear to have come from our systems. This appears to be the same dataset that has been recycled several times on this forum.”

I paid no more attention.

Advertisement

Then 10 days later, Adelman sent me another email in all caps: “OH NOW THEY ADMIT IT HAPPENED.”

That day, AT&T sent him an email that said his account passcode was compromised.

It added, “Our internal teams are working with external cybersecurity experts to analyze the situation. It appears the data is from more than four years ago and does not contain personal financial information or call history.”

A day later, the story spread everywhere.

AT&T confirmed what the pwned website said previously. AT&T waited 10 days before acknowledging that names, email addresses, home addresses, phone numbers, Social Security numbers, birthdates, account numbers and passcodes were all up for grabs.

The AT&T breach affected 7.6 million current account users and 65.4 million former users. Lawyers are filing class-action lawsuits against AT&T.

Obviously, haveibeenpwned.com is a website worth joining. I’ve been waiting for us to get together in this column before testing it plus another site.

I’ve held off and don’t know what I’ll find.

Advertisement

OK, I’m going to the site now and typing in my email address. The answer comes back: “Oh no – pwned! Pwned in 11 data breaches.”

They include Dropbox, Canva, My Heritage and other sites I don’t use. I need to change the passwords.

Then I go to the “Notify Me” tab on the top and register my email for notifications like Adelman gets. “Get notified when future pwnage occurs and your account is compromised.”

Have I Been Pwned scans the dark web looking for signs of data breaches.

Advertisement

Second test site

I tried another credible website Malwarebytes.com/digital-footprint. I type in my email.

The results show I am not a victim of the AT&T breach, and my Social Security number is “not found but may still be at risk.”

This service, up to this point, is free. Malwarebytes then tries to sell protection services.

Advertisement

New Texas data law

Evelyn McKnight of Plano asks The Watchdog, “I would like to know how the general public can prevent this from happening. Why can’t the state protect our privacy?”

The state can only do so much. On June 1, the new Texas Data Privacy and Security Act takes effect. It focuses on offering you an opportunity to see data collected on you and punishes companies that abuse data collecting without your permission. You’ll also be able to opt out of the sale of your data, targeted advertising and data profiling.

It won’t stop data breaches, which are all too commonplace now.

Advertisement

This month Dell Technologies wrote me and many others that our names, addresses and Dell products we own have been leaked. It warns to be on the lookout for phony tech support scams.

In April, Frontier Communications alerted the U.S. Securities and Exchange Commission that a third party gained access to personal data. Systems were shut down and some customers experienced service failures.

Frontier adds, the third party was “likely a cybercrime group, which gained access to, among other information, personally identifiable information.”

Protect yourself

The key philosophy behind my Watchdog Nation consumer rights movement (if you’re reading this you’re automatically a member) is you can’t wait for someone else to protect you. You must protect yourself.

Advertisement
  • With that in mind, The Watchdog presents a list of simple protection tools with which you can defend yourself. You maybe already use some.
  • Update your AT&T passcode, even if you’re not a breach victim.
  • Sign up for Have I Been Pwned. Try the Malwarebytes digital scan. Go to Malwarebytes.com/digital-footprint or hunt around on their website.
  • Make passwords difficult. Don’t use pure words; shuffle letters, numbers and symbols.
  • Use 2-step authentication when it’s offered. The code comes to your cell phone or your email.
  • Get your free credit report from annualcreditreport.com. Type that in carefully and make sure you are at the government-approved site, not imitators that charge. Look for errors in your report and challenge them.
  • Check out the Google Password Checkup tool. Find it by searching on Google.
  • Freeze your credit accounts. It means no one can open an account in your name because their access is blocked. You’re blocked, too, until you reopen your account with a code. You can use your credit but you can’t open a new account without unblocking. It’s inconvenient but worth it.
  • Consider a credit monitoring service that you pay for monthly.
  • Fraud alerts help protect you. Put them on the three major credit bureaus – Experian, Equifax and TransUnion. They are supposed to be free.

Go for it. I don’t want you to get pwned.

Related Stories
Read More
Brian Whittington, with his Toyota Tundra pick-up he uses to tow a single axle trailer for...
Houston driver fights repeated overcharging from toll authority
Driver Brian Whittington says Harris County Toll Road Authority keeps overbilling him due to a TxDOT equipment error, but he’s received little help resolving the issue.
Andrew Hoeft, posing beside a toll road he has to take regularly, is the owner and operator...
A bad address for a TxTag account cost a Cedar Park man hundreds in toll fines
Andrew Hoeft had to pay $900 in penalties to TxDOT because he didn’t update the address on his credit card.