Enlarge (credit: Getty Images)

AT&T is notifying millions of current or former customers that their account data has been compromised and published last month on the dark web. Just how many millions, the company isn't saying.

In a mandatory filing with the Maine Attorney General’s office, the telecommunications company said 51.2 million account holders were affected. On its corporate website, AT&T put the number at 73 million . In either event, compromised data included one or more of the following: full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, AT&T account numbers, and AT&T passcodes. Personal financial information and call history didn’t appear to be included, AT&T said, and data appeared to be from June 2019 or earlier.

The disclosure on the AT&T site said the 73 million affected customers comprised 7.6 million current customers and 65.4 million former customers. The notification said AT&T has reset the account PINs of all current customers and is notifying current and former customers by mail. AT&T representatives haven’t explained why the letter filed with the Maine AG lists 51.2 million affected and the disclosure on its site lists 73 million.

Enlarge (credit: Malte Mueller | fStop )

A high-level Iowa hospital systems administrator, Matthew Kierans, has admitted to stealing a coworker's identity and posing as William Donald Woods for more than 30 years, The Register reported .

On top of using Woods' identity to commit crimes and rack up debt, Kierans' elaborate identity theft scheme led to Woods' incarceration after Kierans' accused his victim of identity theft and Los Angeles authorities failed to detect which man was the true William Donald Woods. Kierans could face up to 32 years in prison, The Register reported, and must pay a $1.25 million fine.

According to a proposed plea agreement with the US Attorney's Office for the Northern District of Iowa, Kierans met Woods "in about 1988" when they worked together at a hot dog stand in New Mexico. "For the next three decades," Kierans used Woods' "identity in every aspect of his life," including when obtaining "employment, insurance, a social security number, driver's licenses, titles, loans, and credit," as well as when paying taxes. Kierans even got married and had a child using Woods' name.

Enlarge (credit: Wong Yu Liang | Moment )

The US may have uncovered the nation's largest "SIM swap" scheme yet, charging a Chicago man and co-conspirators with allegedly stealing $400 million in cryptocurrency by targeting over 50 victims in more than a dozen states, including one company.

A recent indictment alleged that Robert Powell—using online monikers "R," "R$," and "ElSwapo1"—was the "head of a SIM swapping group" called the “Powell SIM Swapping Crew.” He allegedly conspired with Indiana man Carter Rohn (aka "Carti" and "Punslayer") and Colorado woman Emily Hernandez (allegedly aka "Em") to gain access to victims' devices and "carry out fraudulent SIM swap attacks" between March 2021 and April 2023.

SIM-swap attacks occur when someone fraudulently induces a wireless carrier to "reassign a cell phone number from the legitimate subscriber or user’s SIM card to a SIM card controlled by a criminal actor," the indictment said. Once the swap occurs, the bad actor can defeat multi-factor authentication protections and access online accounts to steal data or money.

Enlarge (credit: Bloomberg via Getty Images )

Twitter announced Friday that as of March 20, it will only allow its users to secure their accounts with SMS-based two-factor authentication if they pay for a Twitter Blue subscription. Two-factor authentication, or 2FA, requires users to log in with a username and password and then an additional “factor” such as a numeric code. Security experts have long advised that people use a generator app to get these codes. But receiving them in SMS text messages is a popular alternative, so removing that option for unpaid users has left security experts scratching their heads.

Twitter's two-factor move is the latest in a series of controversial policy changes since Elon Musk acquired the company last year. The paid service Twitter Blue—the only way to get a blue verified checkmark on Twitter accounts now—costs $11 per month on Android and iOS and less for a desktop-only subscription. Users being booted off of SMS-based two-factor authentication will have the option to switch to an authenticator app or a physical security key.