AT&T confirms data breach and resets customer passcodes

&gt; This FAQ says customers can set up free fraud alerts from credit bureaus Equifax, Experian, and TransUnion<p>I once subscribed to one of these and then was surprised by monthly charges a year or so later when the “free” bit ran out.

Am I out of the loop, or is it really uncommon for a company to proactively reset passwords after a breach?<p>Maybe I&#x27;m being paranoid but after the whole T Mobile plaintext password fiasco a couple years back I worry that AT&amp;T may have done something equally stupid, perhaps un-salted hashes if not plaintext passwords.<p>Edit: my bad, I didn&#x27;t read this article first (and stupidly relied on another article I read earlier, which didn&#x27;t have as much detail)... Does anyone have more detail on the new research? If the &quot;passwords&quot; are really short numeric pins, it sounds like they _are_ unsalted if they&#x27;re so vulnerable.

These large companies have become so complacent. Their handling of user data is comical, at best.<p>“SOX” compliance and other certifications are just buzzwords at this point.

A reminder for anyone who hasn’t already done it, freeze your credit at all 3 credit agencies. Only unfreeze the 1 you need for the time period it needs to be unfrozen for, if applying for new credit. This should stop most identity theft related to the SSN leak.<p>This should be standard practice for everyone after the Equifax breach several years ago.<p>Of course if someone can take control of a person’s phone number, that’s essentially a new form of identity theft now that 2FA has turned our phones into our identity, whether we asked for it or not.

&gt; says that leaked information &quot;may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&amp;T account number and passcode.&quot;<p>I fully agree with all the other comments out there which say that companies don&#x27;t take privacy seriously enough and that there aren&#x27;t enough real penalties when this data is leaked.<p>That said, are we ever going to stop pretending that this data is &quot;private&quot; anymore? That is, I&#x27;m pretty sure that everyone who has ever held a digital account has had their name, phone, email, address, and more importantly birthdate and SSN leaked numerous times already. They&#x27;re simply no longer private as a matter of fact. But this set of data is essentially all that is required in most places to, say, open a bank account and pass KYC restrictions. Why? Why are we still pretending that this information isn&#x27;t available on pretty much everyone <i>to</i> pretty much anyone that has smallest amount of technical knowledge?<p>I agree with the other comment about always freezing your credit scores, which makes it much more difficult for others to fraudulently open accounts in your name. Also note the entire financial system <i>knows</i> this, but they know that most of the cost is born by the victim (it&#x27;s been repeated a million times how &quot;identity theft&quot; is essentially a made up term banks came up with for shifting the blame onto the victim instead of themselves for not having good identity verification procedures in the first place), which is why they don&#x27;t recommend it by default and more broadly.