I don’t understand this comment, you say the encrypted values “are the smoking gun”, then at the end you say “(or not)”. Are you saying this happened, and the encrypted values show it, or are you just saying that they seem like evidence either way?
Even if we had AT&T’s keys, I think it might be non-trivial to verify that they correspond to this data, depending on how AT&T encrypts.
> Even if we had AT&T’s keys, I think it might be non-trivial to verify that they correspond to this data
What I was trying to say is that if AT&T systems (or a backup) contain that exact encrypted value (no need for a decryption key), it's a near-certain proof that the data came from their system.
> then at the end you say “(or not)”.
Well, only AT&T DBAs/SREs should be able to confirm what I wrote above and I don't want to accuse anyone without proof. Same reason why Troy Hunt wrote "allegedly".
The original comment comes off a bit more like an accusation with an escape clause. I'd agree that if the leaked data contains exactly the same information as the alleged source's servers, it would be evidence of the veracity of its source, but that has nothing to do with whether or not the data is encrypted.
I beg to differ. If the PII in the leak matches what's in AT&T DBs, they can still maintain plausible deniability that there is no proof the PII leaked from them. An encrypted DOB requires the DOB and an encryption key. The latter shall be unique and securely stored in their system and that's why I referred to presence of the encrypted data specifically as a smoking gun.
I use unique email addresses for each company; the one I use with AT&T (and only them) is in the dump. So I know at least the email was leaked from them.
Of course that doesn't say anything about the other PII but at this point, I figure my PII has already been leaked multiple times.
Even if we had AT&T’s keys, I think it might be non-trivial to verify that they correspond to this data, depending on how AT&T encrypts.