AT&T Breach Data Resurfaces with 176M Enriched Records

A massively enriched dataset from AT&T's 2024 data breaches has been circulating privately since February 2, 2026, and it's worse than the original disclosures. The dataset reportedly contains 176 million records — up from the 73 million customers originally reported — with far more complete personal information per record than earlier leaks.

What's in the Data

According to Malwarebytes researchers who analyzed the circulating dataset, the numbers are staggering:

• Up to 148 million Social Security numbers (both full and last-four-digit formats)
• Over 133 million full names and street addresses
• More than 132 million phone numbers
• Approximately 75 million dates of birth
• Over 131 million email addresses

The original AT&T breach disclosures in 2024 covered two separate incidents affecting 73 million customers. So where did the additional 100+ million records come from?

How Breach Data Gets Worse Over Time

This is what security researchers call data enrichment, and it's why data breaches don't fade away. Stolen datasets from different breaches get merged, cross-referenced, and cleaned up over time. A phone number from one leak gets matched to an SSN from another. Partial records become complete profiles. As Malwarebytes put it, "breach data tends to linger, then get merged, cleaned up, and expanded over time."

The result is a dataset that's "more attractive, more searchable, and more actionable for criminals" than anything AT&T originally disclosed. An incomplete record with just a name and phone number is useful for spam calls. A complete record with SSN, date of birth, home address, email, and phone number is useful for full-blown identity theft.

What Attackers Can Do With This

The combination of data types in this set enables a range of attacks that partial data doesn't support:

SIM-swap attacks become trivial when attackers have your full name, phone number, and SSN. They call your carrier, verify your identity using the stolen data, and transfer your number to their device. From there, they intercept two-factor authentication codes and break into your bank accounts, email, and everything else. This kind of fraud has been increasingly common — the Substack breach last week exposed phone numbers for 700,000 users, and even that smaller dataset creates SIM-swap risk.

Tax return fraud requires a name, SSN, and date of birth. This dataset has all three for tens of millions of people. With tax filing season underway in the U.S., the timing couldn't be worse.

Credit application fraud uses SSN, address, and date of birth to open accounts in victims' names. The enriched dataset has enough data for this at scale.

Targeted phishing gets far more convincing when the attacker knows your full name, address, email, and which carrier you use. These aren't generic "Dear Customer" emails — they're personalized messages that reference details only your provider should know.

The Settlement Limbo

AT&T announced a $177 million settlement for the two 2024 breaches, and roughly 99.7 million settlement notices have been sent out. By late December 2025, about 4.38 million people had submitted claims. A final approval hearing took place on January 15, 2026, before Judge Ada Brown in the Northern District of Texas, but no ruling has been issued yet.

That leaves millions of AT&T customers in a strange position: their data is actively circulating in an enriched form that's more dangerous than what was originally stolen, but the legal process meant to provide recourse hasn't concluded. The Conduent breach followed a similar pattern — the scope of the breach kept expanding long after the initial disclosure.

Why This Matters

The enrichment of AT&T's breach data illustrates a problem the security industry talks about but hasn't solved: stolen data has a half-life measured in years, not months. Each subsequent breach adds context. Each merge creates a more complete picture. The 176 million figure might grow further as other datasets get folded in.

For the hacking news community and breach researchers, this is a case study in how initial breach disclosures consistently understate long-term risk. The 73 million number AT&T reported was accurate at the time. But "accurate at the time" means very little when your data keeps getting enriched by other breaches you had nothing to do with.

What AT&T Customers Should Do

1. Freeze your credit with all three bureaus (Equifax, Experian, TransUnion) — this is the single most effective step against identity fraud
2. File your tax return early before someone files a fraudulent one using your SSN
3. Set up fraud alerts with the IRS using Form 14039 if you haven't already
4. Monitor your accounts for unauthorized activity — bank accounts, credit cards, phone carrier accounts
5. Use a password manager and enable multi-factor authentication everywhere — and prefer app-based MFA over SMS, given the SIM-swap risk
6. Watch for phishing that uses your personal details to appear legitimate — verify any suspicious contact through official AT&T channels directly

The enriched dataset is out there, and it's not getting recalled. The best defense is to assume your data is compromised and act accordingly. For more tips on protecting yourself online, see our online safety guide.