
AT&T Careers Breach
Oct 21, 2025
563,482 rows
What happened in the AT&T Careers Breach?
DataBreach.com Team · October 28th 2025, 8:00 pm EDT
The Everest ransomware group claims to have stolen about 576,000 applicant and employee records from AT&T’s job-application portal (att.jobs).
The company has not confirmed any compromise, and the claim remains unverified as of publication.
Context
Everest is a long-running extortion group that publishes stolen data when victims refuse to negotiate. AT&T’s recruitment site (att.jobs) uses Workday, a third-party HR platform where applicants submit personal and contact information.
The threat actor’s claim appears to concern data from that careers system - not AT&T’s wireless or customer accounts. No regulator filings, public statements, or technical advisories from AT&T have yet corroborated the posting.
Details
- On Oct 21, 2025, Everest added a password-protected “AT&T Careers” entry to its dark-web leak site, citing 576,686 records.
- By Oct 28, threat-intelligence trackers (including RansomLook) marked the listing as “Database Leaked.”
- Everest provided no technical proof, screenshots, or hashes at the time of posting.
- AT&T has issued no confirmation or denial, and security researchers continue to treat the claim as alleged.
What the published samples appear to contain
Independent analysts and media outlets such as Hackread reported seeing CSV files labeled “user_list” and “customer_list,” totaling roughly the same number of rows claimed by Everest.
We parsed one copy of the data circulating in criminal forums and found 563,482 unique email addresses and phone numbers, appearing to represent job applicants or AT&T HR contacts.
No Social Security numbers, payroll data, or customer credentials were observed in the reviewed sample.
Because the source is a criminal actor, these findings cannot be independently verified without official confirmation.
Why this matters
- Phishing & social-engineering risk: Even unverified dumps may fuel targeted scams masquerading as AT&T recruiters or HR staff.
- Credential reuse risk: If recruitment-portal passwords overlap with corporate accounts, attackers could attempt reuse attacks.
- Regulatory implications: If confirmed, any exposure of applicant data could trigger notification requirements under state privacy laws or GDPR (if EU residents were involved).
Recommended actions
- Assume possible exposure: Reset passwords for AT&T’s careers portal or related Workday accounts; enable MFA where possible.
- Watch for fake recruiter outreach: Ignore unsolicited job-offer messages or attachments referencing AT&T.
- Monitor identity and communications accounts: Look out for unusual login or SMS verification activity.
- Keep proof of suspicious contact: Preserve any emails or texts claiming to relate to AT&T’s hiring process.
Attribution & reliability
The only source for this alleged breach is the Everest ransomware group’s leak site.
Threat-intel trackers have mirrored the claim, but no authoritative confirmation from AT&T, regulators, or trusted forensic reports currently exists.
Everest has a mixed credibility record - some past leaks were genuine, others exaggerated or entirely fabricated.
Until AT&T or law enforcement confirm or refute the claim, this incident should be regarded as “unconfirmed threat-actor posting.”










