AT&T has done an about-face, admitting it suffered a data breach in 2019 or earlier that impacted some 76 million customers.

Rumors have circulated for years that AT&T was hacked, but the company has repeatedly denied the allegations—despite hackers selling AT&T customer data on the dark web. The company maintained the data was not stolen as part of a breach, meaning it must have come from a third party, or the hackers were misrepresenting the data.

Apparently, AT&T is now admitting its data was compromised. The company says it does not believe “financial information or call history” was stolen, but virtually every other type of data was. The company says the data “may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and passcode.”

It has come to our attention that a number of AT&T passcodes have been compromised. We are reaching out to all 7.6M impacted customers and have reset their passcodes. In addition, we will be communicating with current and former account holders with compromised sensitive personal information.

Our internal teams are working with external cybersecurity experts to analyze the situation. To the best of our knowledge, the compromised data appears to be from 2019 or earlier and does not contain personal financial information or call history.

We encourage customers to remain vigilant by monitoring account activity and credit reports. You can set up free fraud alerts from nationwide credit bureaus — Equifax, Experian, and TransUnion. You can also request and review your free credit report at any time via Freecreditreport.com.

Customers should immediately take any necessary action to protect their information, although it would have been better if AT&T had not wasted several years denying the breach.