T-Mobile said Wednesday that hackers may have obtained sensitive personal information on more than 40 million current and past customers of the US wireless carrier.
The stolen data included social security and driver's license numbers, which could be used for identity theft, T-Mobile acknowledged while indicating that no passwords or financial information was accessed.
"Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts' information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile," a company statement said.
Additionally, T-Mobile said hackers obtained account information on an estimated 850 000 active T-Mobile prepaid customers — who have accounts with fewer credit requirements.
T-Mobile said it was taking steps to protect affected customers including identity theft protection for two years.
The carrier began a review following a report that hackers accessed data from 100 million accounts and were selling some data on dark web forums.
It said it was working with law enforcement and cybersecurity experts as part of its review, and has "located and immediately closed the access point that we believe was used to illegally gain entry to our servers".
According to screenshots posted by the security website Bleeping Computer, personal data from at least 30 million people were offered for sale on dark web forums for the equivalent of $280 000 in bitcoin.
The breach was first reported by the Vice website Motherboard, which quoted a seller claiming to offer "full customer info" of T-Mobile users.
The reports come following a wave of data breaches and ransomware attacks affecting a wide range of companies and organisations, including a US pipeline operator, Ireland's health IT system and a major airline in India.