As of a year or two ago when I worked at a authorized att dealer, manager logins can access any account without a pin and any employee can access prepaid accounts without a pin.
Edit:for whatever its worth att does keep a record of what employees accessed an account and when, and notes when managers bypass the pin, so doing this an an employee seems really stupid to me.
Interesting, I figured since they claimed that wasn't possible that they didn't keep records. I'll have to go bug them again to see if they can investigate it further. I'm not sure if this was an instance of targeted social engineering or an employee, though I would assume the former is more likely.
I'm not sure what customer service policy is about telling customers but in store at least we definetely had a notes section of every account with breakdowns of what internal usernames accessed the accounts and when. The fraud dept I assume would be the ones to look at who the employees were from the usernames but we didn't handle that kind of stuff at the authorized retailer stores so no advice to give you unfortunately :/
