US operator AT&T revealed data from 7.6 million customers and 65.4 million former account holders had been released on the dark web, with the company in the process of assessing whether the information originated from its systems or a vendor.

AT&T stated a robust investigation supported by internal and external cybersecurity experts was underway.

The leaked data contains personal information including social security numbers, but the company believes “financial information” and call histories are not present. It was released around two weeks ago with AT&T’s preliminary analysis dating the material from 2019 at the latest.

“Currently, AT&T does not have evidence of unauthorised access to its systems resulting in exfiltration of the data set,” it added.

The operator noted it was “communicating proactively with those impacted” and would cover the cost of customer credit monitoring where applicable. Leaked passcodes have been reset.

In a portal for those affected, AT&T encouraged “customers to remain vigilant by monitoring account activity and credit reports”, pointing them to the availability of free fraud alerts from bureaus in the US.

It also told customers the company takes “cybersecurity very seriously and privacy is a fundamental commitment”.