AT&T is telling about 9 million customers that some of their information was exposed after a marketing vendor was hacked in January.

“Proprietary network information of customers of certain wireless accounts has been exposed, such as the number of lines on an account or a wireless rate plan,” AT&T told BleepingComputer.

“The information did not contain credit card information, social security numbers, account passwords or other sensitive personal information. We are notifying affected customers.

While the data breach notification doesn’t share the number of affected customers, AT&T told BleepingComputer that “approximately 9 million wireless accounts had access to their proprietary network information.”

The company said the exposed dataset is several years old and primarily related to device upgrade eligibility. He added that none of his systems were compromised during the vendor security incident.

The CPNI data exposed includes information related to its services, such as the number of lines tied to a customer’s account or the wireless plan they subscribe to, according to AT&T.

However, AT&T Privacy Policy says that while CPNI does not include users’ phone number, name and address, it does contain “details of the person you called”.

Law enforcement alerted to breach

“​We have notified federal law enforcement of the unauthorized access to your CPNI, as required by the Federal Communications Commission,” AT&T said in CPNI breach notification letters, first spotted by DataBreaches.net And sent from att@message.att-mail.com.

“Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred.”

Customers are advised to disable CPNI data sharing on their accounts by requesting a CPNI restriction to reduce risk of exposure in the future if AT&T uses it for third-party vendor marketing purposes.

An AT&T spokesperson has yet to respond to an email requesting more information about the specific information that was exposed in the incident and which provider was breached to have that data exposed. .

In August 2021, AT&T declined a data breach after a notorious threat actor put up for sale a database containing what he claimed was the personal information of 70 million AT&T customers.