Locked out of bellsouth.net email
My wife has been locked out of her bellsouth.net email address, which she has had and relied upon for over 20 years, since mid-April 2023. We contacted AT&T support, who advised filling out an online form to regain access, since the online password reset tool did not work. We were told someone would contact us within 24-72 hours. We filled out the form as instructed, and we've followed up with AT&T support on several occasions since then, with no further update and no guidance other than to keep waiting. All of my wife's logins with financial institutions, healthcare, business, shopping, etc. are tied to her bellsouth.net email address and she cannot even change her email address or passwords with those companies without access to her original inbox. At one month in, this has become a major issue since we do paperless billing with everyone now and a full billing cycle has now passed. The security risk to us is also now high without her access to effectively manage credentials on her non-AT&T accounts.
I've read numerous articles online now that report that AT&T suffered a breach of one of their email APIs that was subsequently used for a multi-million dollar cryptocurrency theft scheme (e.g. - https://shorturl.at/ampNO). However, as internet, home phone and satellite TV customers for over 20 years, we've received no communication directly from AT&T on this security event, nor were we proactively notified that my wife's account was directly impacted, nor are any expectations being set on if and when she will ever get access to her email data again. AT&T support has acknowledged the security event on 2 interactions I've had with them and said that "many customers" were impacted and they are experiencing "high call volumes" as a result. But there is no offer of remedy other than to wait indefinitely for a call back from AT&T's security department.
In this day and age, this comes across as completely unreasonable to me. I understand that security breaches are now the new normal with cloud-based services. I've been in the cloud-based software development business for over 25 years myself. But it's a company's response to such events that matters the most. Not only should customers have been notified of the security event in full transparency, along with AT&T's response to the event, but they should have also communicated and set expectations on if and when the impacted accounts will be restored. My faith in AT&T's handling of our data and our privacy is currently sitting at 0%. We have no idea if an unauthorized party has access to my wife's email data. We have no idea if an authorized party has access to her non-AT&T online accounts or not. We have no idea if and when this will ever be resolved for her.
Another company I used to do business with, LastPass, similarly mishandled a security event last year, and as a result I am no longer a customer of theirs. My hope is that this message somehow makes it to AT&T management, which I also requested the last tech support rep I talked with to pass along out of desperation. I feel bad for every rep I have talked to, as they have been an outlet for my frustration, but their hands are tied and they are apparently unable to do anything about the situation. Do better, AT&T, and treat your customers with respect. Please, own the issue and clearly communicate to us what you plan to do about it.