AT&T is preparing to pay out $177 million after two massive data breaches exposed sensitive information from tens of millions of customers. With the claims deadline approaching, millions of current and former users may now be eligible for cash.

The settlement stems from two major incidents that leaked everything from Social Security numbers to call records, according to the Associated Press. Affected consumers have a limited window to file for compensation, with payouts varying based on documented losses and eligibility.

A one-two punch to AT&T’s data defenses

The first breach traced back to account files from 2019 or earlier, exposing passcodes and other identifiers tied to 7.6 million current and 65.4 million former customers. That cache later appeared on the dark web and became the basis for widespread litigation.

The second breach involved call detail records taken from an AT&T workspace on a third-party cloud platform hosted by Snowflake in 2022 and early 2023. The content of calls and texts wasn’t taken, but metadata, such as numbers contacted, interaction counts, and some cell site information, was exposed. AT&T said the scope covered nearly all active subscribers at the time.

How to know if you’re covered

The settlement is split into two groups: people tied to the older account-file leak involving data from 2019 or earlier, and those swept into the 2022–2023 records incident pulled from a third-party cloud workspace. Anyone caught in both falls into an overlap category and can seek benefits from each fund.

AT&T has notified impacted customers directly, but eligibility also depends on how your number was classified. For the records incident, that includes account owners, line users, and end users whose phone numbers or interaction data appeared in the exposed files.

The cash on the line for customers

Payouts depend on which data breach you fall under and whether you can show financial harm.

For the older account-file leak, customers can claim up to $5,000 in documented losses or instead choose a tiered cash payment. Tier 1 covers those whose Social Security numbers were exposed and pays five times more than Tier 2, which applies to everyone else in that group, according to Kroll Settlement Administration.

For the cloud-based records incident, customers can request up to $2,500 in documented losses traceable to the breach. Account owners may also choose a Tier 3 pro rata payment as an alternative to a documented-loss claim. All tiered payouts will be divided based on the number of valid claims and settlement deductions for legal and administrative costs.

The AT&T settlement clock is ticking

Customers have until December 18, 2025, to submit a compensation claim, whether online or by mail. Those who want to opt out of the deal or file an objection must do so by November 17, 2025.

A federal judge will decide whether to grant final approval at a hearing set for January 15, 2026, in the Northern District of Texas. Anyone who takes no action will forfeit compensation and still be bound by the settlement once it’s approved.

Meanwhile, Anthropic reported that a Chinese state-aligned outfit exploited its AI model to execute a large-scale, self-directed hacking effort.