In a major data breach, AT&T revealed that the call and text message records of tens of millions of its cellphone customers were exposed between mid-2022 and early 2023. The breach, attributed to an “illegal download” on a third-party cloud platform, affected nearly all AT&T cellular customers and those using mobile virtual network operators on its network from May 1, 2022, to October 31, 2022. A small number of records from January 2, 2023, were also compromised.

AT&T, which had approximately 110 million wireless subscribers at the end of 2022, stated that while customer names were not directly exposed, publicly available tools could potentially link names to specific phone numbers. Additionally, for some records, cell site identification numbers were exposed, potentially revealing broad geographic locations of the calls and texts.

The company assured that the breach did not include the contents of the calls or texts, nor did it contain personal information such as Social Security numbers or dates of birth. Usage details like the time of calls and texts were also not compromised.

AT&T learned of the breach in April and immediately launched an investigation, hired cybersecurity experts, and took steps to secure the access point. The company is cooperating with law enforcement, and at least one arrest has been made.

AT&T promised to notify affected customers and provide resources to protect their information. This breach is unrelated to an earlier incident disclosed in March, where personal information of 73 million customers was leaked onto the dark web. AT&T remains committed to protecting customer information and regrets the incident.