leaksear.ch has indexed an AT&T 2023 leak containing 4,999,826 records, about 5 million, from a threat-actor sample dated January 6, 2023, tied in the metadata to a third-party marketing vendor breach that ultimately affected approximately 9 million wireless accounts (leaksear.ch metadata). Public reporting at the time said AT&T notified customers after a January vendor incident exposed years-old Customer Proprietary Network Information, or CPNI, linked largely to device upgrade eligibility (www.bleepingcomputer.com).
What happened
AT&T said a marketing vendor experienced a security incident in January 2023 and that an unauthorized person accessed CPNI from some wireless accounts. The company told reporters that its own systems were not compromised and that approximately 9 million wireless accounts had CPNI accessed (therecord.media, www.securityweek.com). AT&T did not publicly identify the vendor in the reporting reviewed for this article (www.bleepingcomputer.com, www.theregister.com).
CSO Online reported that on January 6, 2023, a threat actor claimed to have found a third-party vendor's unsecured cloud storage containing 37 million AT&T client records and shared a sample of 5 million records (www.csoonline.com). leaksear.ch metadata identifies the indexed data as 4,999,826 records from a January 6 threat-actor sample, but the platform's indexing should not be read as independent verification of the vendor, storage environment, or the broader threat-actor claim (leaksear.ch metadata).
Publicly confirmed information is narrower: AT&T said the exposed information did not include credit card numbers, Social Security numbers, account passwords, or other sensitive personal information. Some reporting also said customer notifications stated the issue was resolved and that federal law enforcement was notified (www.bleepingcomputer.com, www.securityweek.com).
What data was exposed
The leaksear.ch index is searchable by email, name, and phone number (leaksear.ch metadata). The indexed records also contain first names, wireless phone numbers, email addresses, billing account numbers, ZIP codes, device manufacturer and model details, current and recommended device information, device color details, upgrade-eligibility indicators, installment status and dates, amounts such as MSRP, paid, installment, monthly or past-due figures, account or family account labels, contract schedule dates, and past-due flags (leaksear.ch metadata).
That field list aligns with public reporting that the exposed CPNI included first names, account numbers, wireless phone numbers, email addresses, and in some cases rate-plan, payment, monthly charge, minutes-used, or installment-related data (www.bleepingcomputer.com, www.securityweek.com). The metadata and public reporting state that SSNs, payment cards, and passwords were not included (leaksear.ch metadata, www.bleepingcomputer.com).
Why this matters
CPNI is regulated telecom data, and the FCC describes it as sensitive information carriers and providers hold because of their customer relationships, including call-related and usage details (consumercomplaints.fcc.gov). In this leak, the practical risk is not password reuse from exposed passwords, since passwords are not listed, but targeted phishing, billing or device-upgrade impersonation, and account-support social engineering using real AT&T customer context.
Security teams can use the data as a customer or employee exposure signal for suspicious carrier-themed email lures, phone-number risk reviews, and help-desk awareness. Individuals who may be affected should treat AT&T-themed upgrade or billing messages with caution, review AT&T account security settings such as passcodes and contact information, and use the lookup below to check whether their email, name, or phone appears in this leak (www.att.com).
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include email, name, and phone.
Sources
- BleepingComputer: AT&T alerts 9 million customers of data breach after vendor hack
- The Record: AT&T says 9 million customers exposed in January vendor breach
- SecurityWeek: Millions of AT&T Customers Notified of Data Breach at Third-Party Vendor
- The Register: AT&T blames marketing bods for exposing 9M accounts
- CSO Online: AT&T informs 9M customers about data breach
- Dark Reading: AT&T Vendor Breach Exposes Data on 9M Wireless Accounts
- FCC Complaints: Privacy Complaints
- AT&T Support: Protect Your AT&T Account