Basic call and text records from mid-2022 and early 2023 were exposed in this breach. These records include inbound and outbound phone numbers, call duration, and, in some cases, location data (based on cellular tower ID numbers). Critical information, such as social security numbers, birthdays, or the contents of calls and texts, was not exposed.
The data leak extends to allMVNOsthat utilize AT&T’s network. This includes Boost Infinite, Consumer Cellular, Cricket Wireless, Straight Talk, TracFone, and more.
However, AT&T itself was not the target of this attack. Hackers stole the phone records from Snowflake, a cloud storage and data analysis company thathas grown notoriousfor its questionable security practices. Snowflake is the source of the recentTicketmasterand Neiman Marcus data leaks, and it may be involved in security incidents that are yet to be disclosed.
AT&T hasn’t explained why customer phone records were in the hands of a third-party data analysis company. I suspect that this will become a pain point for those who are affected by the incident.
“Our investigation found that the downloaded data included phone call and text message records of nearly all of AT&T cellular customers from June 29, 2025 to July 20, 2025 as well as on July 22, 2025. These records identify other phone numbers that an AT&T wireless number interacted with during this time, including AT&T landline (home phone) customers. For a subset of the records, one or more cell site ID numbers associated with the interactions are also included.”
The long-term impact of this breach is unclear. While basic phone records can’t be used to commit identity theft, they could enabletargeted phishingor harassment campaigns. A criminal may attempt toimpersonate someoneyou regularly call and text, for example, or they may attempt to blackmail you with your embarrassing call history (the phishing threat is relevant to everyone, while blackmail is more of a concern for public figures).
As for whether the stolen phone records have been traded on the dark web—we don’t know. It may be too early to make any definitive statements on this particular point, though AT&T believes that hackers haven’t made the stolen data public.
AT&T discovered this breach on April 19th after a “theft actor” bragged about stealing call logs. Due to the scale of this incident, the U.S. Department of Justice ruled that AT&T should delay its public disclosure by more than 60 days. Delayed disclosures are permitted underSEC Form 8-K, though a delay of more than 30 days is described as an “extraordinary circumstance.”
For reference, this is the second data breach that AT&T has disclosed in 2024. Theprevious data breach, which exposed customers' social security numbers, is unrelated to today’s incident.
Approximately 110 million AT&T customers will be notified of this breach. Those who are affected (basically all AT&T cellular customers) should continue following common cybersecurity practices as described inAT&T’s public notice. Law enforcement has apprehended a suspect and is working to arrest others who were involved in this incident.
