In two significant data breaches disclosed in 2024, AT&T exposed sensitive personal and account information from millions of customers. The first breach, announced on March 30, 2024, compromised approximately 73 million current and former AT&T customers’ personal data including names, addresses, Social Security numbers, dates of birth, and account passcodes dating back to 2019 or earlier. A second breach, revealed on July 12, 2024, affected approximately 109 million customers when their call and text metadata—records of who called whom and when—were illegally downloaded from AT&T’s Snowflare workspace, covering interactions from May to October 2022, with a smaller subset from January 2, 2023.
These breaches prompted a $177 million settlement, split into two funds to compensate affected customers. The scale of these breaches underscores how vulnerable customer data can be within major telecommunications infrastructure. For example, a customer whose information was compromised might see their SSN and address combined with complete call records showing every person they contacted during a specific timeframe—a combination of data that could enable identity theft, social engineering, or unwanted tracking. The settlement represents one of the larger data breach class actions in recent years, though the compensation offered has generated debate about whether the payouts truly reflect the harm caused to affected individuals.
Table of Contents
- What Data Was Exposed in AT&T’s Two 2024 Breaches?
- Settlement Details and Maximum Payout Amounts
- Timeline and Claims Deadline
- How to File a Claim and Receive Compensation
- Dark Web Resurfacing and Ongoing Security Concerns
- AT&T’s Response and Responsibility
- Lessons and Future Implications
- Conclusion
What Data Was Exposed in AT&T’s Two 2024 Breaches?
AT&T customers were affected by two distinct breaches that exposed different categories of sensitive information. The first breach compromised personal identifiers and account credentials for approximately 73 million customers. Exposed data included full names, home addresses, Social Security numbers, dates of birth, and account passcodes. This information originated from AT&T’s systems dating back to 2019 or earlier, meaning the breach may have gone undetected for several years before discovery. The second breach involved a different but equally sensitive type of data: call and text metadata covering approximately 109 million customers. This metadata included records of incoming and outgoing calls and text messages for the May through October 2022 period, plus a smaller subset of records from January 2, 2023.
The distinction between these two breaches is important for understanding the exposure. The first breach gave attackers access to traditional identity theft vectors—names, addresses, and SSNs can be used to open fraudulent accounts or apply for credit. The second breach exposed communication patterns and contacts, which could be used for targeted phishing, social engineering, or revealing sensitive personal relationships. Unlike the content of calls or texts, metadata alone reveals whom you contacted, when you contacted them, and the duration of contact. For a journalist, lawyer, activist, or business professional, this metadata could reveal confidential sources, client relationships, or controversial associations. The combination of both breaches affecting some customers created a particularly severe exposure scenario.
Settlement Details and Maximum Payout Amounts
AT&T agreed to a $177 million settlement divided into two non-reversionary settlement funds to address both breaches. The first fund contains $149 million to compensate customers affected by the initial personal data breach (SSN, address, DOB, passcodes), while the second fund contains $28 million for customers affected by the metadata breach involving call and text records. The settlement structure recognizes that the two breaches had different scopes and severity levels, with significantly more resources allocated to the first breach affecting more personal identifiers. The settlement’s payout structure uses tiered compensation based on which breach affected each customer.
Customers affected only by the first breach can receive up to $5,000 per claim, though compensation is further tiered by the severity of data exposed—customers whose SSN was included in the breach receive five times more than those affected by the breach but without SSN exposure. Customers affected only by the second breach (metadata exposure) can receive up to $2,500. Customers affected by both breaches can receive up to $7,500 total across both claims. However, a significant limitation of this settlement is that these represent maximum amounts, and actual payouts will depend on the number of valid claims filed. The more claims processed, the smaller each individual payout becomes, as the fixed settlement pools must be divided among all qualifying claimants.
Timeline and Claims Deadline
The claims filing deadline for the AT&T data breach settlement was December 18, 2025, and that deadline has now passed. No new claims are being accepted after this date. Customers who missed the deadline are generally unable to participate in the settlement, representing a significant limitation for those who were unaware of the breach or the filing requirement until after the cutoff. The final approval hearing took place on January 15, 2026, at 9:00 a.m. CT, where the court considered whether to formally approve the settlement.
As of the time this article was written, the final court decision on settlement approval was pending, though approval is typically routine in class action settlements once all deadlines have been met. This timeline means the settlement process is in its final stages, with the court’s formal approval expected in the coming weeks or months. Once the court issues final approval, the settlement administrator will begin processing valid claims and distributing payments from the two settlement funds. For customers who did file claims by the December 18, 2025 deadline, payment typically occurs within several months of final approval, though the exact timeline depends on claim processing time and fund administration procedures. This represents a two-year gap between the public disclosure of the breaches (March and July 2024) and the final distribution of compensation—a timeline that reflects the complexity of class action litigation even when defendants agree to settle.
How to File a Claim and Receive Compensation
For customers who filed claims before the December 18, 2025 deadline, the next step is waiting for the settlement administrator to process their claim and calculate their payout. The official settlement website, Telecom Data Settlement, contains information about claim status and processing timelines. Customers who believe they are entitled to compensation but haven’t yet submitted a claim cannot do so after the deadline has passed, which is a critical limitation of this class action. One of the most important considerations for claimants is understanding what documentation or proof of eligibility may be required.
Depending on the settlement administrator’s procedures, customers may need to provide AT&T account information or identify which data elements were exposed to them. The settlement process includes provisions for objections and appeals for those who disagree with the settlement terms, though any objections would have been due before the final approval hearing. For most affected customers, the practical path forward is to monitor the settlement website for updates on claim processing and payment distribution. The settlement’s fairness and adequacy have been reviewed by the court, but individual customers may still want to understand their specific tier of compensation before the payout occurs. It’s worth noting that in many data breach settlements, customers affected by both breaches receive proportionately higher compensation, reflecting the compounded harm of having both personal identifiers and communication records exposed.
Dark Web Resurfacing and Ongoing Security Concerns
In February 2026, approximately 176 million AT&T customer records resurfaced on the dark web, creating renewed alarm among affected customers and raising questions about the security of their data post-settlement. However, this dark web appearance was not a new breach but rather a repackaging of data from the 2024 breaches combined with additional data enrichment—meaning attackers had compiled the original stolen data with other publicly or commercially available information to create more complete profiles. This development highlights a critical limitation of class action settlements: they address past breaches and provide compensation, but they cannot retroactively make exposed data disappear from criminal marketplaces. Once personal information is stolen and sold online, it can be traded, repackaged, and redistributed indefinitely.
The resurfacing of AT&T customer data illustrates why victims of major data breaches often face ongoing risks even after settlement agreements are reached. Customers who received compensation from the settlement still need to implement personal protective measures, such as credit monitoring, fraud alerts, or credit freezes. The dark web repackaging also demonstrates that attackers continue to find value in older compromised data, particularly when enriched with additional information like phone numbers or email addresses that might have been obtained from other sources. This underscores a fundamental tradeoff in data breach settlements: financial compensation helps customers pay for protection services like identity theft insurance or credit monitoring, but it does not eliminate the underlying security risk or prevent future misuse of their information.
AT&T’s Response and Responsibility
AT&T disclosed both breaches publicly and cooperated with law enforcement and regulatory investigations following discovery. The company took responsibility for the compromises and agreed to the substantial settlement without admitting liability, a common practice in settlement agreements. However, the specific circumstances of each breach revealed security weaknesses that raised questions within the cybersecurity community.
The second breach, which involved data stored in AT&T’s Snowflake data warehouse, highlighted how even major corporations can misconfigure cloud storage systems, allowing unauthorized access to massive databases containing sensitive customer information. AT&T’s response included implementing additional security measures and customer notification procedures, though the specifics of these improvements have not been fully detailed publicly. The settlement terms may include requirements for enhanced data security practices going forward, though such requirements are often not disclosed as part of settlement agreements. For customers evaluating AT&T’s trustworthiness after these breaches, the company’s willingness to settle quickly and provide substantial compensation demonstrated some accountability, but the question of whether preventive measures could have avoided the breaches in the first place remains relevant to customers’ ongoing relationship with the company.
Lessons and Future Implications
The AT&T breaches represent a pattern in telecommunications industry security: massive data repositories containing sensitive customer information remain attractive targets for sophisticated attackers, and configuration errors or unauthorized access can go undetected for extended periods. The settlement amount—$177 million for two breaches affecting roughly 180 million unique customer accounts—reflects the economic penalty AT&T faces for the exposure, but also highlights how settlement amounts, while large in absolute terms, may represent a relatively small portion of annual corporate profits for a company the size of AT&T. This raises ongoing questions about whether financial settlements alone are sufficient incentive for corporations to invest more heavily in preventing breaches.
Looking forward, these breaches will likely influence how regulators approach data security requirements for telecommunications companies and other industries handling sensitive personal information. The settlement also serves as a reminder to customers that even major, well-established companies are not immune to significant data breaches. The compensation provided, while meaningful for individuals affected, cannot fully restore the privacy and security that was compromised. As telecommunications infrastructure becomes increasingly central to daily life, the stakes for data security breaches continue to grow, making the AT&T case a significant reference point for discussions about balancing corporate accountability with customer protection in the digital age.
Conclusion
AT&T’s 2024 data breaches exposed personal identifiers and call and text metadata for millions of customers, prompting a $177 million settlement with maximum payouts ranging from $2,500 to $7,500 depending on which breach affected each customer. The claims filing deadline of December 18, 2025, has passed, meaning customers who did not submit claims by that date are no longer eligible to participate. The final court approval hearing occurred on January 15, 2026, and once the settlement is formally approved, the settlement administrator will process claims and distribute compensation over the following months.
For customers affected by these breaches, the settlement provides some financial recourse, but it does not eliminate ongoing security risks—as demonstrated by the dark web resurfacing of repackaged customer data in February 2026. Customers who filed claims should monitor the official settlement website for updates on claim status and payment timing. Those who missed the filing deadline should consult with a class action attorney to understand whether any other remedies or options may be available, though most affected customers will find that the class action settlement represents the primary avenue for compensation related to these breaches.