The Everest ransomware group has claimed responsibility for a breach involving AT&T’s official recruitment platform, alleging it holds more than 576,000 personal records from the telecom’s “Careers” portal. The group’s post appeared on its dark web leak site on October 21, 2025, with a four-day countdown before potential public release.
According to the listing, the data includes applicant and employee information used for job applications and resume submissions. The post is password-protected, suggesting that the dataset is not freely available and may be part of an extortion negotiation. HackRead reported that the Everest portal instructed an unnamed AT&T representative to “follow instructions” before the timer expired.
As of publication, AT&T has not confirmed or denied the incident. HackRead said its inquiries to the company’s security and communications teams had not yet received a response. The publication also noted that no sample data or verification has been provided, leaving the authenticity of the claim uncertain.
The Everest ransomware group has operated since 2021 and maintains a history of targeting large enterprises, including Coca-Cola and Mailchimp. Researchers classify it as both a data-theft and extortion operator, often publishing stolen corporate databases after failed ransom negotiations. Its leak site was temporarily defaced earlier this year but remains active with regular victim postings.
AT&T has faced multiple cybersecurity incidents in recent years. In April 2024, the company confirmed a breach impacting 73 million users, following claims from the ShinyHunters group. Another attack in June 2025 exposed 86 million records with decrypted Social Security Numbers, later resulting in a $177 million settlement.
The latest Everest listing raises questions about whether the alleged compromise originated within AT&T systems or through a third-party service provider. No forensic evidence has yet been published, and analysts are continuing to monitor for verification or company statements.