What’s In the 2026 Dataset

Security researchers who analyzed the February 2026 dataset describe it as a merged, enriched compilation built largely from the twin AT&T breaches of 2024, cross-referenced with records from dozens of other known data exposures. The scale is staggering:

  • ~176 million total records
  • Up to 148 million Social Security Numbers (both full SSNs and last-4 digits)
  • 133+ million full names and physical addresses
  • 132+ million phone numbers
  • 131+ million email addresses
  • ~75 million dates of birth

To put that in perspective: the United States has roughly 340 million people. This dataset contains enough information to build a detailed profile on nearly half the country’s population.

The word researchers keep returning to is enriched. Someone β€” or more likely, many people working in organized criminal networks β€” took the raw data from AT&T’s breaches and ran it through a process of correlation and cleanup. Records that were partial got filled in. Duplicate entries got consolidated. Data from AT&T got cross-referenced against records from other breaches β€” healthcare providers, financial institutions, social media platforms β€” to create profiles that are far more complete than anything that came from any single breach.

β€œWhen data resurfaces, it never comes back weaker,” one dark web researcher observed in a forum post flagged by threat intelligence analysts.

The Original Breaches: A Recap

To understand why this 2026 resurgence is alarming, you need to understand what was stolen in the first place.

March 2024: The 73 Million Customer Breach

In March 2024, AT&T confirmed what security researchers had suspected for years: a dataset containing the personal information of approximately 73 million current and former customers had been compromised.

The story was more complicated than a clean, single breach event. The data was believed to have been stolen as far back as 2019, but it first appeared on dark web forums around 2021, when a threat actor attempted to sell it. AT&T denied the data was theirs for three years β€” a denial that proved untenable when independent researchers confirmed the records against real customers.

The breach, attributed to the hacking group ShinyHunters, included a devastating combination of fields:

  • Full legal names
  • Home addresses
  • Phone numbers
  • Email addresses
  • Dates of birth
  • Social Security Numbers
  • Account PINs

That last item β€” account PINs β€” is particularly significant. These aren’t password hashes. These were the four-digit codes AT&T customers use to verify their identity when calling customer service or visiting a store. In the wrong hands, a PIN plus the rest of this data is a master key to a wireless account.

July 2024: The Snowflake Breach and 110 Million Customers

If the March 2024 breach was alarming, the July 2024 incident was catastrophic in scale.

AT&T disclosed that call and text records for approximately 110 million customers β€” nearly its entire wireless subscriber base β€” had been exposed as part of a sweeping campaign targeting Snowflake, the cloud data warehousing platform used by hundreds of major corporations.

The Snowflake campaign was a supply chain attack of unusual sophistication. Rather than hacking AT&T directly, attackers compromised Snowflake accounts at AT&T and dozens of other companies by exploiting weak or stolen credentials. The scale of the operation eventually claimed data from Ticketmaster, Santander Bank, LendingTree, and numerous other organizations.

The AT&T Snowflake data differed from the March breach in character. Rather than raw personal identifiers, it contained:

  • Phone numbers involved in calls and texts
  • Call duration records
  • Text message metadata (not content)
  • Cell site location identifiers β€” data that can be used to track physical movements

When combined with the March 2024 breach data β€” which provided the names, SSNs, and addresses to go with those phone numbers β€” the resulting picture is comprehensive: identity, location, communication patterns, and the means to impersonate someone to their own carrier.

The Settlement

The legal and financial fallout eventually produced a $177 million class action settlement, one of the largest breach-related settlements on record. Many affected customers received settlement notices β€” though the payments, spread across tens of millions of claimants, rarely reflected the actual risk exposure.

Why This Data Is More Dangerous Now Than When It Was Stolen

This is the part that most people miss, and it’s the most important thing to understand.

The passage of time doesn’t make stolen data safer. It makes it more dangerous.

Here’s why:

1. Enrichment Through Correlation

In the immediate aftermath of a breach, stolen data is often messy β€” records are incomplete, duplicated, or contain errors. Over time, professional data brokers in the criminal underground apply the same analytical techniques that legitimate data companies use: they clean the data, remove duplicates, and most importantly, correlate it with other datasets.

Your AT&T phone number might link to your record in the 2021 LinkedIn breach, which provides your job title and employer. That links to a healthcare provider breach that adds your insurance information. That links to a mortgage servicing company breach that adds your loan balance and payment history.

The 176 million records circulating in 2026 aren’t just AT&T’s data. They’re AT&T’s data woven together with years of accumulated breach data. The profile being sold under your name today is more complete than anything AT&T’s own customer service systems ever had.

2. Your SSN and Date of Birth Don’t Change

Here’s the fundamental problem with Social Security Number exposure: you can’t get a new one. Your date of birth isn’t something you change. Your mother’s maiden name is what it is. These fields β€” the backbone of identity verification in American financial and government systems β€” are static.

Data stolen in 2019 is still fully valid in 2026. It will still be valid in 2030. Every account a criminal could open using your SSN, every fraudulent tax return they could file, every medical service they could bill to your insurance β€” none of that expires because the underlying data is old.

3. The Criminal Market Has Matured

In 2021, when this AT&T data first appeared, the criminal ecosystem for exploiting such records was relatively fragmented. By 2026, that market has professionalized considerably. There are now specialized services in underground markets for every stage of identity fraud: record lookups, SIM swap execution, synthetic identity construction, credit card farming, and more. Better data feeds into more sophisticated pipelines.

4. AI-Powered Phishing Is Now a Reality

Attackers now have AI tools that can generate hyper-personalized phishing messages using the exact details in these databases. When a scammer sends you an email that knows your full name, your address, the last four digits of your SSN, and references a real AT&T account you had β€” that email is not going in your spam folder. It’s going to land in your inbox, and it’s going to look legitimate.

The SIM Swap Threat: Why This Data Is a Loaded Weapon

Of all the ways that AT&T breach data can be weaponized, SIM swap fraud may be the most immediately devastating β€” and the 2024 breach data provides everything an attacker needs to execute one.

A SIM swap is exactly what it sounds like: a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, every SMS-based two-factor authentication code that gets sent to β€œyou” goes to them instead. Your bank. Your email. Your cryptocurrency wallet. Your tax account. Your password reset messages.

The numbers on SIM swapping are alarming:

  • The UK saw a 1,055% increase in SIM swap fraud in 2024
  • The FBI reports $26 million in US losses attributable to SIM swapping in 2024 alone
  • T-Mobile was ordered to pay $33 million in a single arbitration case following a SIM swap attack on one customer
  • An estimated 96% of SIM swaps involve either social engineering of carrier employees or insider collusion

To execute a SIM swap against you, a criminal typically needs to convince a carrier representative that they are you. To do that convincingly, they need:

  • Your full name βœ“ (in the AT&T dataset)
  • Your phone number βœ“ (in the AT&T dataset)
  • Your account PIN βœ“ (in the March 2024 breach)
  • The last four digits of your SSN βœ“ (in the AT&T dataset)
  • Your billing address βœ“ (in the AT&T dataset)
  • Your date of birth βœ“ (in the AT&T dataset)

The AT&T breach data is essentially a SIM swap toolkit, ready-made.

The attack plays out quickly. Within minutes of a successful SIM swap, your phone goes dead β€” no service, no calls, no texts. The attacker then initiates password resets on your most valuable accounts, intercepting the verification codes that now route to their phone. By the time you realize what’s happening, they may have already gained access to your email, your bank, and anything else protected only by SMS-based two-factor authentication.

Warning Signs You’re Being Targeted

If your data is in this dataset β€” and given the scale, there’s a reasonable chance it is β€” here are the specific warning signs that an attack may be underway:

Immediate red flags:

  • Your phone suddenly shows β€œNo Service” or can’t make calls (SIM swap in progress)
  • Unexpected 2FA codes arriving via SMS that you didn’t initiate
  • Receiving strange password reset emails for accounts you didn’t touch
  • Text messages stopping unexpectedly

Longer-horizon warning signs:

  • Unfamiliar hard inquiries appearing on your credit report
  • New credit accounts you didn’t open
  • Bills or collection notices for accounts you don’t recognize
  • The IRS rejects your tax return because one was already filed with your SSN
  • Your healthcare provider shows claims for services you never received

Any of these should be treated as an emergency, not a minor inconvenience.

What You Must Do Right Now

The following steps aren’t suggestions. Given the scale of this data exposure, they are the minimum baseline for protecting yourself.

1. Freeze Your Credit β€” All Three Bureaus

A credit freeze is the single most effective protection against identity theft. It prevents anyone β€” including you β€” from opening new credit accounts without first lifting the freeze. It is free by federal law and does not affect your credit score.

You must freeze separately at each of the three major bureaus:

  • Equifax: equifax.com/personal/credit-report-services
  • Experian: experian.com/freeze/center.html
  • TransUnion: transunion.com/credit-freeze

Also consider freezing at the smaller bureaus that many people forget: Innovis, ChexSystems (for bank accounts), and NCTUE (for utility accounts).

2. Lock Down Your Carrier Account

Contact AT&T (or your current carrier) and take the following steps:

  • Set a new, strong account PIN β€” not your birthday, not 1234
  • Ask about β€œport freeze” or β€œSIM lock” β€” a feature that prevents number transfers without additional verification
  • Enable account notifications for any changes

If AT&T is your carrier, also consider switching from SMS-based authentication to their app-based options where available.

3. Move Away from SMS Two-Factor Authentication

This is non-negotiable. SMS-based two-factor authentication is not real security against someone who can SIM swap your number. Replace it immediately with:

  • Hardware security keys (FIDO2/WebAuthn β€” YubiKey is the most widely used)
  • Authenticator apps (Google Authenticator, Authy, or 1Password’s built-in TOTP)

Start with your highest-value accounts: email, bank, investment accounts, and anything with payment information stored.

4. Get an IRS Identity Protection PIN

The IRS offers a free Identity Protection PIN (IP PIN) β€” a six-digit code that must accompany any tax return filed under your Social Security Number. Without it, a fraudulent return filed with your SSN gets rejected automatically.

Enroll at: irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin

This is one of the most underused identity protection tools available, and it’s free.

5. Register with USPS Informed Delivery

The United States Postal Service’s Informed Delivery service sends you a daily email preview of incoming mail. More importantly, registering first prevents someone else from registering your address and intercepting your credit card applications, bank statements, and account notices.

6. Monitor Your Credit Continuously

You’re entitled to a free credit report from each bureau at annualcreditreport.com. Spread your three free reports across the year β€” one every four months β€” to maintain continuous visibility. Many banks and credit card issuers also offer free credit monitoring as a feature.

7. Be Skeptical of Everything That Knows Too Much About You

With this level of data in criminal hands, expect sophisticated phishing attempts that reference real details about you: your actual address, your real AT&T account number, your genuine date of birth. An email or phone call that knows your real information is not necessarily legitimate. Verify out-of-band β€” call the company back on a number from their official website, not one provided in the message.

The Bigger Picture

The 176 million records circulating in 2026 are a monument to a systemic failure β€” both at AT&T, which sat on breached data for years before acknowledging it, and across an industry that has still not fully grappled with the fact that personal data, once leaked, is permanently in circulation.

The $177 million settlement sounds significant. Divided across 73 million affected customers, it works out to roughly $2.43 per person β€” a fraction of what a single SIM swap attack or identity theft incident costs its victims in time, money, and stress.

The legal process moves slowly. The criminal market moves fast.

You cannot wait for another settlement, another disclosure, another round of β€œwe take your privacy seriously” press releases. Your data is out there, it has been enriched, and the people who hold it know exactly what to do with it.

The steps above are not complicated. Most take under 30 minutes. A credit freeze, a carrier PIN, an IP PIN from the IRS, and authenticator apps instead of SMS codes β€” these are achievable this week. Do them this week.

Because the alternative is waiting to discover what 176 million records can do to someone’s life when wielded by professionals who have been perfecting their techniques for years.

If you believe you’re already a victim of identity theft or SIM swap fraud, contact the FTC at identitytheft.gov and file a police report. Your carrier has a dedicated SIM swap fraud line β€” call and report it immediately if your phone loses service unexpectedly.