There has been a data breach.
Who? When? Where? How? What company was breached?
That part I can't tell you. The truth is, there has ALWAYS been a data breach, at some point, somewhere. Sometimes it's a big story, like the Anthem consumer data or Target card reader breaches from several years ago. Sometimes it doesn't make the news at all. Sometimes companies deny there has been an intrusion at all (until Brian Krebs publicly posts the proof on his website).
It's just a fact of modern living: unless your entire life has been lived completely off the grid, a chunk of your personal information is already out there, in the hands of people you'd rather not have it. It could be your name, phone number and the last four of your SSN. It could be almost everything about you, full account numbers and passwords, date of birth, the whole enchilada. Most likely it's a mixture of different data points.
It could just be your first name, mobile phone number and provider. Just those three pieces of information can be useful to scammers and identity thieves. Look at these text messages an acquaintance of mine received twice this month (one day apart):
AT&T Free Msg: bill is paid. Thanks, [Correct First Name]! Here's a little gift for you: [link redacted]
AT&T Free Msg: bill processed. Thanks, [Correct First Name]! Here's a little freebie for you: [completely different link redacted]
Those links likely lead to a website designed to harvest the victim's AT&T login information, then would probably go on to ask for banking account or other personal information, or attempt to glean credit card data in some form of advance fee scam. It could even be a "your phone is infected with 27 viruses, call this number to fix it" scheme. The possibilities are really endless.
This acquaintance does use AT&T as their mobile phone provider. They have automatic payments set up to come out about ten days after these texts showed up, so it wasn't too hard to see that something suspicious was afoot. But how many people get this text message the day after they make their AT&T payment? If you're not paying close attention to the fact that AT&T doesn't give you free things just for paying your bill, or that they would use an "att.com" or "att.net" website instead of [random string of letters and numbers].info, you might end up clicking on that link and thinking you're logging into to your real AT&T account before you knew what happened.
Always remember that scammers might have enough information about you to make their pitch seem realistic. A text or email that uses your name, or has some other correct piece of information about you, doesn't prove anything anymore. There have been enough security breaches (not to mention sales of data like buying habits and interests) for anyone to construct a plausible fraudulent offer.
