TL;DR: Remember the AT&T breach from 2024? The one that hit 73 million customers? It’s back, and worse. Starting February 2, 2026, 176 million enriched records began circulating in private criminal channels. Someone took the original AT&T breach data, merged it with records from the July 2024 Snowflake cloud compromise of AT&T call and text logs, and then fully decrypted the previously encrypted Social Security numbers. The combined dataset now includes 148 million SSNs, 133 million names and addresses, 132 million phone numbers, and 75 million dates of birth. A $177 million class action settlement won’t undo this. Old breaches don’t die. They get enriched, repackaged, and resold. Welcome to the zombie breach.
How a 2024 Breach Became a 2026 Crisis
The original theft happened in 2019. AT&T didn’t disclose it until March 2024. That breach affected 73 million customers: 7.6 million current accounts and 65.4 million former customers who thought they were done with AT&T.[1]
Then came July 2024. A separate attack hit AT&T through the Snowflake cloud platform, compromising call and text metadata for what AT&T described as “nearly all” of its wireless customers. Different breach, different attack vector, different data.[1]
Here’s where it gets ugly.
Criminal groups didn’t just sit on these datasets. They merged them. They took the personal details from the March 2024 disclosure (names, addresses, SSNs, dates of birth) and cross-referenced them against the Snowflake call/text records. Then they went further, pulling in data from other breaches: Instagram, LastPass, LinkedIn, and public records databases. The result is a terrifyingly complete picture of 176 million people.[2][3]
And those SSNs that AT&T said were encrypted? They’re not encrypted anymore. Somebody cracked them. All 148 million of them.[3]
What’s in the Dataset
The enriched records started circulating privately on February 2, 2026. Here’s what researchers found inside:[3]
- 148 million Social Security numbers: previously encrypted, now fully decrypted
- 133 million names and physical addresses
- 132 million phone numbers
- 131 million email addresses
- 75 million dates of birth
Read those numbers again. 148 million SSNs. That’s roughly 44% of the entire U.S. population. And this isn’t a dump of isolated data fields. It’s correlated. Each record ties a real name to a real address to a real SSN to a real phone number. It’s an identity theft kit, pre-assembled.
The enrichment process is what makes this different from the original breach. Raw breach data is messy: missing fields, outdated addresses, encrypted values. The enriched version fills in the blanks. If the original AT&T data had your name and SSN but not your current address, the Snowflake data or a LinkedIn scrape might supply it. If the SSN was encrypted, well, someone fixed that too.[2]
Why Old Breaches Get Worse Over Time
This is the “zombie breach” problem, and it’s about to define the next era of identity theft.[2]
The old way of thinking about breaches was linear: data gets stolen, it shows up on the dark web, people buy it, they commit fraud. Done. But that’s not how it works anymore.
Breach data is a raw material. Criminal groups treat it like crude oil, something to be refined, combined, and reprocessed into something more valuable. A name and encrypted SSN from AT&T gets matched with a phone number from Snowflake, an email from the Instagram leak, a master password hash from LastPass, and a work history from LinkedIn. Suddenly you’ve got a complete identity profile, the kind of profile that lets someone open a credit card, file a tax return, or take out a mortgage in your name.[2][3]
Every new breach makes every old breach more dangerous. Your data doesn’t degrade over time. It compounds.
The $177 Million Settlement That Doesn’t Fix Anything
AT&T agreed to a $177 million class action settlement. A fairness hearing was scheduled for January 15, 2026. Individual payouts could reach up to $7,500 for people who can document actual losses.[1]
Sounds decent until you do the math. 73 million affected customers. If even 10% file claims, the average payout drops fast. And most customers didn’t file at all. AT&T waited five years to disclose the original 2019 theft. By the time notification letters went out in 2024, millions of former customers had moved, changed emails, or simply didn’t notice. Late notification meant late claims. Late claims meant no claims.[1]
Even for those who do get paid, $7,500 doesn’t cover the lifetime of credit monitoring, fraud alerts, and identity recovery that comes with having your SSN permanently compromised. Your Social Security number doesn’t expire. The damage from this breach doesn’t have an end date.
And here’s the kicker: the settlement covers the March 2024 disclosure. The enriched 176 million record dataset that showed up on February 2, 2026? That’s a whole new problem. The settlement doesn’t account for criminal groups merging, decrypting, and reselling the data AT&T already lost.[3]
What You Should Do Right Now
If you were ever an AT&T customer (even years ago), assume your data is in this set. Act accordingly.
- Freeze your credit at all three bureaus. Equifax (800-349-9960), Experian (888-397-3742), TransUnion (888-909-8872). A freeze is free. It blocks anyone from opening new credit in your name. Do it today, not tomorrow.
- Get an IRS Identity Protection PIN. With 148 million decrypted SSNs floating around, tax fraud season just got a lot worse. Request a PIN at irs.gov to prevent someone filing a return in your name.
- Check HaveIBeenPwned. Troy Hunt’s Have I Been Pwned tracks breach datasets. If your email shows up in the AT&T breach, take it seriously.
- Change passwords on everything tied to your AT&T email or phone number. If criminals have your email and phone, they can attempt account recovery attacks on every service linked to those.
- Enable two-factor authentication, but not SMS-based. With phone numbers compromised, SIM-swap attacks become trivial. Use an authenticator app or hardware key instead.
- Monitor your credit reports. Pull free reports at AnnualCreditReport.com and look for accounts or inquiries you don’t recognize.
Breach Data Never Goes Away
The AT&T zombie breach is a case study in a problem that’s only going to get worse. We have decades of breach data accumulating across criminal networks. Every year, new breaches add new puzzle pieces. Every year, the old pieces become more useful as they get matched, enriched, and correlated.
There are roughly 4,000 publicly reported data breaches per year. The data from each one doesn’t exist in isolation. It’s a single ingredient in an ever-growing recipe. Your AT&T records meet your Instagram profile meet your LastPass vault meet your LinkedIn work history. Taken alone, each breach is a problem. Taken together, they’re a complete identity.
Companies talk about breach response like it’s a one-time event. Disclose, apologize, offer two years of credit monitoring, settle the lawsuit, move on. But the data doesn’t move on. It sits in criminal databases, getting more valuable every time another breach fills in another field.
The 176 million enriched AT&T records prove it. A breach from 2019, disclosed in 2024, weaponized in 2026. Seven years and counting. That data will still be circulating in 2030. And it’ll be even more enriched by then.
There’s no undo button for a breach. There’s only damage control. Start with the credit freeze. Do it now.
Sources
Published: February 12, 2026