US Telco Data

Breach Timeline

In April 2026, T-Mobile disclosed a security incident involving the unauthorized access of a customer's account data. While T-Mobile's filing with the Maine Attorney General officially listed only one affected individual, SecurityWeek noted that companies sometimes use "1" as a placeholder in initial filings while investigations remain ongoing.

T-Mobile confirmed the breach was an isolated incident caused by an employee of a third-party vendor who improperly accessed the customer's records. The company reset the affected account's PIN and stated that no financial account information or call records were compromised. Despite T-Mobile's insistence that the impact was limited to a single customer, the disclosure drew skepticism given the company's long history of large-scale breaches.

On March 17, 2026, a threat actor posted a 61GB database for sale on a hacker forum for $1,200, claiming it contained over 6.3 million records exfiltrated from Russell Cellular, one of the largest Verizon authorized retailers in the United States. The origins of the breach remain under investigation; it was initially unclear whether attackers compromised Russell Cellular's internal systems directly or gained access through a third-party service. Verizon acknowledged the "potential threat" via the retailer and launched an active investigation.

The allegedly stolen data includes customer names, phone numbers, email addresses, account numbers, and device identifiers including ESN and IMEI numbers. Most critically, the dataset reportedly contains internal employee credentials and access roles, creating serious risk for targeted SIM swapping and social engineering attacks even if Verizon's core network remained unaffected. As of April 2026, Russell Cellular had not begun notifying impacted individuals, which legal observers noted may have violated state and federal notification laws.

On December 10, 2025, Total Wireless was notified by its identity verification provider Veriff that an unauthorized party had accessed customer data from Veriff's systems. The breach occurred on November 18, 2025, after a threat actor used a phishing site to steal a Veriff employee's credentials. Total Wireless's own systems were not affected.

The compromised data came from a Total Wireless promotion that required customers to upload government-issued identification for verification. Exposed records included images of those ID documents, along with postal addresses and dates of birth for some individuals. Total Wireless notified law enforcement, filed notices with multiple state attorneys general, and began sending breach notifications to affected customers on January 9, 2026. The company offered one year of free identity protection and credit monitoring through Experian IdentityWorks. At least three class action lawsuits were subsequently filed against Total Wireless and Veriff.

⚠️ Note: This entry is not a new breach but a significant re-emergence of previously stolen data.

In May and June 2025, a threat actor re-listed a repackaged AT&T customer database on a Russian-language cybercrime forum, assembling records from both of AT&T's 2024 breach incidents into a single, more dangerous unified dataset. The listing contained over 86 million unique records, including full names, dates of birth, phone numbers, addresses, and approximately 44 million Social Security numbers, all in plain text.

AT&T clarified that no new unauthorized system access had occurred; the SSNs and dates of birth had already been exposed in the original 2024 breaches, but were now consolidated and cross-referenced in a format that makes them far more immediately actionable for fraud. The incident illustrates how breach data compounds in value over time: individually stolen fields become more exploitable once aggregated and re-sold in enriched form.

In April 2025, security researcher Evan Connelly publicly disclosed a critical vulnerability in Verizon's Call Filter iOS app that he had reported to Verizon on February 22, 2025. The flaw resided in a backend API endpoint used to retrieve call history: although the endpoint required a valid JWT token for authentication, it failed to verify that the phone number requested in the header matched the authenticated user's account. As a result, any logged-in user could substitute any Verizon phone number and retrieve that number's incoming call logs without compromising the target's device or knowing their password.

Because Call Filter is pre-installed and enabled by default on many Verizon devices, the scope of potential exposure was broad. While the exposed data was limited to incoming call metadata, the implications were significant. Security experts noted that call metadata can be used to map communication patterns, identify sources, and monitor the movements of high-value targets such as journalists, law enforcement officers, and public figures. Verizon confirmed the issue was resolved by March 25, 2025, and stated there was no indication the flaw had been exploited.

On October 12, 2024, 404 Media reported that threat actors had breached Verizon's push-to-talk (PTT) system — a product marketed to public sector agencies, enterprises, and first responders — by compromising a third-party provider. The hackers, operating under the aliases Cyberphantom and Judische, advertised over 900GB of stolen data on a Russian-language cybercrime forum for $200,000, claiming access to admin accounts, APIs, interconnected LAN servers, call logs, and employee PII.

Public procurement records show Verizon PTT customers include local and state governments, sheriff departments, and federal agencies including NASA and the Army. Subsequent reporting by Krebs on Security revealed that "kiberphant0m" was later identified as a U.S. Army soldier stationed in South Korea, who was arrested in December 2024 in connection with extortion demands against AT&T and Verizon.

In late September and October 2024, the Wall Street Journal reported that the Chinese state-sponsored hacking group known as Salt Typhoon had infiltrated at least eight major U.S. telecommunications providers, including AT&T, Verizon, and Lumen Technologies. The intrusion targeted the CALEA lawful intercept infrastructure that telecom companies maintain for court-authorized government surveillance — providing the hackers with access to both sensitive metadata and, in some cases, unencrypted call audio and text messages.

The White House ultimately confirmed nine U.S. telecoms were compromised. High-profile targets reportedly included then-President-elect Donald Trump, Vice President-elect JD Vance, and staff from multiple political campaigns. Senator Ben Ray Luján described the incident as potentially the largest telecom hack in American history. The FBI and CISA issued a joint advisory urging providers to strengthen network security, and as of early 2026, the full scope of the intrusion had still not been fully resolved.

On July 12, 2024, AT&T disclosed in an SEC filing that threat actors had illegally downloaded records from its workspace on Snowflake, a third-party cloud data platform, over an 11-day window in April 2024. The stolen data covered call and text records for nearly all of AT&T's wireless customers (approximately 109 million people) for the period of May 1 to October 31, 2022, with a small number of additional records from January 2, 2023. AT&T had learned of the breach on April 19, 2024, but delayed public disclosure based on a determination by the Justice Department.

The compromised records did not include the content of calls or texts, nor did they include names, Social Security numbers, or financial information. However, some records contained cell site identification numbers that can be used to approximate where a call or text originated. The breach was part of a broader campaign targeting Snowflake customers; investigators attributed the attacks to a financially motivated threat actor group. Two individuals were subsequently charged: Connor Moucka of Canada and John Erin Binns, who was separately arrested in Turkey. A proposed $177 million settlement covering both 2024 AT&T incidents received preliminary federal approval in June 2025.

⚠️ Note: The three breaches underlying this entry occurred between January 2021 and January 2023; the FCC settlement was announced July 2024.

In July 2024, Verizon's TracFone subsidiary agreed to pay a $16 million civil penalty to settle an FCC investigation into three separate data breaches across its prepaid brands — which include Straight Talk, Total by Verizon Wireless, and Walmart Family Mobile. All three incidents involved the exploitation of API vulnerabilities.

The first breach, discovered in December 2021, involved attackers using API access to initiate an unusually high volume of unauthorized port-out requests, transferring customer phone numbers to other carriers without the account holders' knowledge or consent, enabling SIM swap attacks at scale. Two subsequent breaches in December 2022 and January 2023 involved unauthenticated access to TracFone's order website, exposing customer order information; both exploited the same underlying vulnerability, which TracFone patched only in February 2023. The FCC concluded TracFone had "failed to reasonably secure customers' proprietary information," violating the Communications Act. In addition to the fine, TracFone was required to implement a new API security program aligned with NIST and OWASP standards and submit to annual independent security assessments.

⚠️ Note: This entry is not a traditional breach but a documented, systemic privacy violation that resulted in a nearly $200 million federal fine.

In April 2024, the FCC fined the four largest U.S. wireless carriers a combined $196 million for illegally selling their customers' real-time location data to third-party aggregators — who in turn resold access to bail bondsmen, bounty hunters, and other unauthorized parties — without customer consent and without adequate safeguards. T-Mobile received the largest fine at $92 million (including $12 million for its Sprint subsidiary), followed by AT&T at $57 million and Verizon at $47 million.

The underlying conduct came to light in 2018 when investigative reporting revealed that a company called LocationSmart was providing near-real-time location data for virtually any phone on the major U.S. networks, and that it had leaked this data through a vulnerable demo page anyone could access without authentication. Subsequent Motherboard investigations found AT&T, T-Mobile, and Sprint were selling location access to bounty hunters for as little as $7.50 per lookup. Despite public commitments from all carriers in 2018 to end the practice, reporting in 2019 confirmed it continued. The FCC's investigation, launched in 2019 under the Trump administration and finalized under the Biden administration, concluded that the carriers had violated the Communications Act by failing to protect customer proprietary network information. All four carriers announced plans to appeal.

On March 30, 2024, AT&T confirmed that a dataset containing personal information on approximately 73 million current and former customers had been published on the dark web. The company stated it appeared to be from 2019 or earlier and reset account passcodes for affected customers as a precaution. AT&T said it could not confirm whether the data originated from its own systems or a vendor, stating it had "no evidence of unauthorized access to its systems."

The data had a troubled history: a hacker had attempted to sell what appeared to be the same AT&T dataset in 2021, which AT&T denied at the time. The 2024 confirmation came only after a seller published the full dataset publicly in early March. Exposed information included names, email and postal addresses, phone numbers, Social Security numbers, dates of birth, and AT&T account details — a combination that placed affected individuals at elevated risk of identity theft and financial fraud. AT&T notified affected customers and offered credit monitoring where applicable. The exact origin of the breach has never been officially confirmed.

On February 7, 2024, Verizon notified the Maine Attorney General that the company had suffered an internal data breach affecting 63,206 employees. The breach occurred on September 21, 2023, when an employee accessed a file containing sensitive colleague information without authorization and in violation of company policy. Verizon did not discover the breach until December 12, 2023 — nearly three months later — and did not begin notifying affected employees until February 2024.

According to Verizon's filings, the company attributed the incident to a combination of "insider wrongdoing" and "inadvertent disclosure." There was no evidence that the information had been shared externally or misused. SecurityWeek reported that a company spokesperson characterized it as an employee handling a file inappropriately, without malicious intent. Affected employees were offered two years of identity theft protection and credit monitoring, including up to $1 million in reimbursement coverage for stolen funds.

In late December 2023, Mint Mobile began notifying customers via email that an unauthorized actor had obtained limited customer information from its systems. The notification, sent December 22, 2023, stated the company had identified and resolved the underlying issue. Mint confirmed that Social Security numbers, driver's license numbers, credit card numbers, and passwords were not collected or exposed.

The exposed data is particularly concerning because it provides the information needed to conduct SIM swap attacks, in which attackers port a victim's number to their own device and intercept SMS-based authentication codes. Mint did not disclose the number of affected customers. The company was in the process of being acquired by T-Mobile at the time of the breach, a deal that closed in 2024.

On September 20, 2023, T-Mobile customers reported on social media that upon logging into their T-Mobile accounts, they were shown the personal information — including addresses and credit card details — of other customers instead of their own. T-Mobile attributed the exposure to an overnight system error and stated it affected fewer than 100 customers. However, the total number of parties who accessed or were exposed to incorrect account data was not fully disclosed. The incident was the third customer-facing breach T-Mobile experienced in 2023 alone — an unprecedented frequency of security failures for a major U.S. carrier in a single year.

Reports emerged in September 2023 that hackers had breached T-Mobile's internal servers in March or April 2023, exfiltrating approximately 89GB of sensitive employee data. The compromised records, which were subsequently posted on a well-known hacker forum, contained names, partial Social Security numbers, and email addresses for 17,835 current and former employees. The breach is suspected to have originated through Connectivity Source, an independently owned T-Mobile authorized dealer.

In early 2023, T-Mobile notified 836 customers that attackers had maintained ongoing access to their account data for over a month without detection, beginning in late February 2023. The breach involved highly sensitive information including full names, contact details, account PINs, Social Security numbers, and government-issued IDs — though the specific data varied per account. The FCC's subsequent investigation determined the attackers gained access by stealing the credentials of several dozen T-Mobile retail employees, likely through phishing. The incident demonstrated a serious failure of T-Mobile's threat detection capabilities and was one of three incidents covered under the company's 2024 $31.5 million FCC settlement.

In January 2023, the cybersecurity team at SafetyDetectives discovered a dataset containing information on approximately 7.5 million Verizon wireless customers on the dark web. The breach was linked to Verizon through clues found in the filenames, though the definitive origin was never officially disclosed. Verizon stated the issue stemmed from an outside vendor and had been resolved. While the exposed records did not include directly identifiable information such as names or Social Security numbers, researchers cautioned that the data could be combined with records from other breaches to facilitate fraud or identity theft.

In January 2023, T-Mobile disclosed that a bad actor had been exploiting a single misconfigured API endpoint since November 25, 2022 — going undetected for approximately six weeks — to steal information from over 37 million customer accounts. The incident exposed names, home and email addresses, phone numbers, dates of birth, and account details for roughly a third of T-Mobile's total subscriber base. No financial information, SSNs, or passwords were included. As the company had finalized a $350 million settlement from the 2021 breach just months earlier — having committed $150 million specifically toward security improvements — the incident raised immediate questions about whether those investments were being deployed effectively. This breach was among those covered under T-Mobile's 2024 $31.5 million FCC settlement.

In late 2022, attackers used SIM swapping, phishing, and related social engineering tactics to gain unauthorized access to a T-Mobile management platform used by its mobile virtual network operator (MVNO) reseller partners. The platform contained customer data for MVNO subscribers operating on T-Mobile's network. The FCC's investigation identified the Lapsus$ cybercrime group as the likely perpetrator of this incident. The number of affected customers and the precise scope of compromised data were not publicly disclosed. This breach was one of three incidents covered under T-Mobile's 2024 FCC settlement.

In October 2022, Verizon disclosed a breach affecting approximately 250 prepaid accounts, in which the last four digits of customers' payment card numbers were exposed alongside personal details including names, phone numbers, and addresses. While the partial card data alone would not enable unauthorized purchases, the combination of PII created risk for further account compromise. Verizon also cautioned that some affected accounts may have been subjected to SIM swap attempts. The company reset PINs on affected accounts and provided guidance to customers on securing non-Verizon accounts that could be vulnerable to SIM swapping.

In August 2022, a cybersecurity firm reported intercepting a large dataset containing personally identifiable information on approximately 23 million individuals in the United States. Analysis indicated the records most closely matched past and present AT&T customers. AT&T did not confirm the data originated from its systems, stating the records did not appear to match any known internal breach and suggesting the incident may be related to a prior compromise at another organization. The dataset — which included names, addresses, phone numbers, Social Security numbers, and dates of birth — was never officially attributed, and its origins remain unconfirmed.

In May 2022, an unauthorized individual allegedly obtained an internal Verizon employee contact database through pretexting — using deception to impersonate a trusted party and gain access to internal systems. The perpetrator reportedly requested $250,000 from Verizon to not publish the data. Verizon declined, stating that the information was already considered publicly available. While the exposed data did not directly include customer records, the database could enable bad actors to impersonate Verizon staff or conduct targeted phishing campaigns against the company's internal systems and employees.

In April 2022, T-Mobile confirmed that the Lapsus$ extortion gang had repeatedly breached its internal network by purchasing employee VPN credentials from underground marketplaces and using them to access internal systems. Leaked Lapsus$ chat logs reviewed by security journalist Brian Krebs revealed the group had accessed T-Mobile's Atlas customer account management system — which can be used to execute SIM swaps — and downloaded over 30,000 source code repositories from T-Mobile's Bitbucket environment. T-Mobile stated that the systems accessed "contained no customer or government information," though the source code theft and demonstrated SIM swap capability represented significant operational exposure. TechCrunch reported that Lapsus$ members attempted to locate T-Mobile accounts associated with FBI and Department of Defense employees before being blocked by additional verification requirements. Several Lapsus$ members were subsequently arrested in the UK; at least two were teenagers at the time.

In August 2021, T-Mobile suffered one of the largest and most consequential data breaches in U.S. telecom history. Hacker John Erin Binns exploited an unprotected GPRS gateway to gain access to T-Mobile's internal network, then leveraged knowledge of the company's infrastructure to move laterally and exfiltrate data on approximately 76.6 million individuals, including current postpaid customers, former customers, and prospective customers who had applied for credit. Binns later claimed responsibility in an interview with the Wall Street Journal, saying T-Mobile's security was "awful."

Exposed data included names, dates of birth, Social Security numbers, driver's license numbers, and device identification numbers. In July 2022, T-Mobile agreed to a $350 million settlement to resolve class action lawsuits — one of the largest data breach settlements in U.S. history at the time — and committed an additional $150 million toward cybersecurity improvements. In 2024, the FCC levied a separate $15.75 million civil penalty against T-Mobile related to this and subsequent breaches. Binns was arrested in Turkey and faces extradition to the United States.