Cyber security is a very complicated field. There are an infinite number of ways that someone could have breached security. It could have been and statistically was a social engineering attack.
There are software vulnerabilities all of the time that can be exploited for access. Recently SSH was discovered to be vulnerable across all Linux machines running at least a certain version of SSH. It didn’t require the victim to do anything but be online.
Microsoft had a zero day that required no interaction that could give kernel level access to a users computer with them knowing.
Neither of those are likely the culprit, but ATT is a large company that has valuable data that hackers wouldn’t mind putting extra effort into getting. At my current company that works with healthcare information, the number of attempts on us this year, that we are aware of, has more than tripled from all of last year.
Point being, some was probably negligent in that they clicked a bad link in an email, gave away something sensitive of a phishing call, or some other social engineering attack, because humans are often the weakest point in cyber security.