(Bloomberg) -- AT&T Inc. said that personal data from about 73 million current and former customers was leaked onto the dark web, prompting it to reset 7.6 million account passcodes.

Most Read from Bloomberg

• Texas Toll Road Takeover to Cost Taxpayers at Least $1.7 Billion

• Apple Explores Home Robotics as Potential ‘Next Big Thing’ After Car Fizzles

• S&P 500 Falls 1% as Oil Jump Spurs Flight to Bonds: Markets Wrap

• Kim Jong Un Faces Annihilation in Most Korea War Scenarios

• Saudi Crown Prince MBS’s $100 Billion Foreign Investment Quest Falters

The data, which included 65.4 million former customers, spilled onto the dark web about two weeks ago. Information divulged may have included customers’ full name, email and postal address, phone number, Social Security number, date of birth, AT&T account number and passcode, the company said in an email to consumers. It apparently does not contain personal financial information or call history.

The data appears to be from 2019 or earlier, AT&T said Saturday in a statement. The source of the data is still being investigated, according to AT&T, and it’s not known whether it came from the company or a vendor.

Shares closed little changed at $17.50 after dropping nearly 3% Monday morning.

Read more: AT&T Outage Triggered by Company Work on Network Expansion

AT&T said it doesn’t have evidence of unauthorized access to its systems, and that the leak hasn’t had a material effect on its operations as of Saturday.

“The company is communicating proactively with those impacted and will be offering credit monitoring at our expense where applicable,” according to the statement.

AT&T was sued over the data breach, with a class action lawsuit filed March 30 in the US District Court for the Northern District of Texas saying the company recklessly maintained customers’ personally identifiable information and failed to take measures to secure its system.

The recent data leak comes about three years after a hacker known as ShinyHunters claimed to have stolen the personal information of about 70 million AT&T customers, according to reports from BleepingComputer at the time. AT&T denied then that it was the victim of a data breach, saying the stolen information didn’t come from its own systems.

The hacker posted only a small sample of records in 2021, which it was selling for a starting price of $30,000, according to media reports at the time. ShinyHunters had previously taken credit for breaches against other US companies, only to post databases of stolen data after apparently failing to convince other dark web users to pay for it.

TechCrunch earlier reported on the recent leak after a data seller published the full 73 million alleged AT&T records on a cybercrime forum. TechCrunch said it informed AT&T about the leak last week and held publication of its article until the company could begin resetting the passcodes.

AT&T is the third-largest US retail wireless carrier, behind Verizon Communications Inc. and T-Mobile US Inc., according to data compiled by Bloomberg. The company in February experienced a widespread outage that took hours to resolve, prompting an investigation by the federal government.

T-Mobile agreed in 2022 to pay $350 million to settle a class-action lawsuit after records of more than 50 million customers were leaked. The following year it revealed another major breach of customer information on about 37 million subscribers.

(Updates with information on data leaked in second paragraph and lawsuit in sixth paragraph.)

Most Read from Bloomberg Businessweek

• How Hertz’s Bet on Teslas Went Horribly Sideways

• Elon Musk’s X Has a Porn Problem

• How Bluey Became a $2 Billion Smash Hit—With an Uncertain Future

• Fixing Boeing’s Broken Culture Starts With a New Plane

• Canada’s RBC Struggles to Go Green While Financing Oil

©2024 Bloomberg L.P.