A dataset allegedly tied to AT&T's recruitment platform has surfaced on underground forums, reportedly containing roughly 576,000 records of job applicants and employees. Threat intelligence observers have linked the leak to the Everest ransomware group, with the breach believed to have occurred in 2025 before publication this week.
What Happened
The dataset appeared on a known underground forum and was quickly attributed to the Everest ransomware operation, a group with a track record of high-profile corporate intrusions. The leak follows the now familiar double-extortion playbook: data is exfiltrated, the victim is privately pressured to pay, and when negotiations stall or fail, the stolen records are dumped publicly as leverage or retaliation. The lag between the suspected 2025 intrusion and the April 2026 publication strongly suggests a failed extortion cycle. AT&T has not publicly confirmed the breach at the time of writing, but analysts reviewing the structure and consistency of the data say it appears legitimate rather than recycled or fabricated.
What Was Taken
According to reporting from UNDERCODE NEWS, the leaked archive contains approximately 576,000 records drawn from AT&T's careers platform. Exposed fields reportedly include:
- Full names of job applicants and employees
- Email addresses
- Phone numbers
- Associated communication and contact metadata
Financial details, government identifiers, and credentials have not been cited in the disclosure, but the personally identifiable information present is more than sufficient to fuel targeted phishing, recruiter impersonation scams, and identity verification abuse.
Why It Matters
Recruitment platforms are a soft underbelly of large enterprise security programs. They sit adjacent to HR systems, hold large volumes of PII, and are often operated by third parties or maintained outside the scrutiny applied to core production environments. A leak of 576,000 records tied to one of the largest telecommunications carriers in the United States gives attackers a curated list of individuals who have either trusted AT&T with personal data or actively work inside the organization. That dataset becomes a long-tail asset for spearphishing, business email compromise pretexts, and social engineering against AT&T staff and partners. It also reinforces a broader trend: Everest and peer groups are increasingly monetizing HR-adjacent data when traditional ransomware payouts dry up.
The Attack Technique
The initial intrusion vector has not been publicly disclosed. Everest's historical tradecraft, however, is well documented. The group typically gains access through purchased credentials from initial access brokers, exploitation of unpatched edge devices and VPN appliances, and exposed remote services. Once inside, operators move laterally to identify high-value data stores, exfiltrate them over encrypted channels, and stage extortion negotiations in parallel with or in place of file encryption. The reported delay between intrusion and public leak is consistent with that pattern and indicates the data sat in Everest's possession for months while extortion played out behind the scenes.
What Organizations Should Do
- Audit recruitment and HR platforms. Treat careers portals, applicant tracking systems, and recruiter SaaS tools as in-scope for the same controls applied to production: SSO enforcement, MFA, logging, and quarterly access reviews.
- Hunt for Everest indicators. Pull the latest IOCs and TTPs for Everest from CISA and reputable feeds, then sweep EDR and network telemetry for matches across the past 12 months.
- Harden initial access pathways. Patch externally facing VPNs, firewalls, and remote management interfaces. Enforce phishing-resistant MFA on all internet-exposed authentication.
- Notify and protect impacted individuals. Anyone who has applied to or worked at AT&T should be on heightened alert for phishing, fake recruiter outreach, and SMS-based smishing referencing job opportunities.
- Tabletop a data-only extortion scenario. Many leadership teams still rehearse encryption events. Run an exercise that assumes no encryption, pure data theft, and a public leak deadline.
- Tighten third-party data flows. Inventory which vendors touch applicant data, confirm contractual breach notification windows, and require evidence of their detection and response posture.