BleepingComputer asked AT&T if it was possible the data came from a third-party service provider or vendor but has not received a response at this time.
That was my thought: AT&T didn't get breached and leak the customer data of 71 million themselves. They merely sold that data to a third party who got breached and leaked the customer data of 71 million people.
They might have been better off claiming incompetence. OTOH, we already know AT&T is malicious from project Fairview, so perhaps in the end it’s better for PR to just stay in the malicious lane and not be regarded as both malicious and incompetent.