The data breach involved nearly all AT&T cellular phone customers during a monthslong period in 2022
By Allen St. John
A major data breach in 2022 exposed the phone and text records of almost all AT&T wireless phone customers, the company has revealed.
The actual content of the calls and texts wasn’t compromised in the data breach, which affected customer records from May 1 to Oct. 21, 2022, as well as on Jan. 2, 2023.
However, armed with details about every company or individual you’ve been in contact with—from your bank to your brother-in-law—cybercriminals could be better able to dupe you with phishing attacks, according to digital security experts.
“The beauty of the metadata [to a criminal] is that you can see where people are and who they’re communicating with,” says Stacey Higginbotham, a policy fellow at CR who works on technology issues. “It’s easy to see an individual’s relationships and where they spend their time.” For instance, the record of your text messages and calls can reveal what banks, retailers, and retirement-savings companies you do business with.
This is also a national security issue, according to Higginbotham, because a foreign government could use such data to target specific, high-value individuals.
The information in the current data breach was stolen from Snowflake, a third-party cloud provider that analyzes customer data for AT&T and other companies. This March, in a separate incident, AT&T reported that 73 million customer records had been posted to a known cybercrime forum, and the company required customers to reset their passwords.
You can get more information about the breach on AT&T’s Unlawful Access of Customer Data page. The company says it will contact affected customers through text messages, email, or U.S. mail. In addition, if you log on to your AT&T account, you can see whether your account was involved in the breach and request details on the affected calls and texts.
How to Protect Yourself
How can you stay safe from the scams that might crop up in the wake of this massive breach? Experts say consumers should be particularly skeptical of text messages containing links or requests for information, even from what appear to be legitimate contacts. Here are tips to protect yourself—they are excellent practices whether you were involved in this data breach or not. Customized information on how to stay safe is available through the free CR Security Planner.
Don’t Click That Link
When you receive a new email or text message—especially one that looks suspicious, urgent, or unexpected—treat it skeptically. Scammers sometimes use cleverly disguised email, text messages, social media messages, or even phone calls to trick users into revealing important information, like passwords or credit card numbers. If, for example, you get an email or text message purporting to be from your bank that asks you to click on a link and log in to verify a purchase, don’t do it. You could end up on a site that looks identical to your bank’s but is actually run by criminals trying to steal your log-in credentials. Instead, open a new window or tab in your browser and go directly to the bank’s site that way.
Double-Check Before Responding to Urgent Messages
If you receive an urgent message from someone you might know—like a co-worker, family member, or bank representative—asking you to respond to an emergency, take a deep breath before you reply. The best move is to contact the apparent sender through another platform to determine whether the request is legit. For instance, call your friend or family member directly to see if they really have been in a crash and need money wired to them. Or get the number for your bank from a recent statement or the bank’s website. (Don’t use a number supplied in an email, because cyber criminals sometimes have their own call centers, complete with professional-sounding receptionists.) Be especially wary of messages that claim to be from government agencies. The IRS will never contact you through an unsolicited text message, email, or social media platform.
Use Strong Passwords and Multifactor Identification
Even if you’re careful, it’s still easy to fall victim to a scam. So protect yourself by creating a complex, unique password for every account. (A password manager can help.) Also set up multifactor authentication on your accounts—you’ll need to enter your password along with a second, temporary code to log in. This prevents criminals from accessing an online account if they somehow get your password. One option for multifactor authentication is to have the company send you a one-time code. Some companies also allow you to use an authenticator app loaded on your phone. These may be safer because codes sent by email or text could be intercepted in some circumstances.
Check Your Statements
Regularly perusing your banking and credit card statements and periodically checking your credit file will help you spot any suspicious transactions, or even accounts that have been set up without your knowledge. You can get access to a free credit report at AnnualCreditReport.com. In addition, freezing your credit files with the major credit reporting agencies can help prevent criminals from opening new credit card or other accounts in your name.
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2024, Consumer Reports, Inc.
