Easier than you think. The email account accociated is the weak link. The emails from ATT include your name and account number.
With that they find your SS# and reset your passwords and passcode, security questions and email address.
I recently changed my email on my account. Notice is sent to the old account. These notices of changes to your account can only be deleted if some has access to your email.
This is why I put 2 step verification on my email.
Another concern is recycled or sold devices. Even factory reset is not fool proof.