T-Mobile confirmed Wednesday that the information of more than 8 million customers as well as 40 million former or potential customers who had applied for credit with the company was compromised in a recent data breach.
The hacker accessed customers’ names, dates of birth, Social Security numbers, and driver’s license or ID information from some portion of the 7.8 million subscribers exposed in the breach. No phone numbers, account numbers, passwords, or financial information were compromised for paying customers, according to the company.
The company did not say if or how many of those 7.8 million customers were also involved in the credit application breach.
Names, phone numbers, and PIN numberss of roughly 850,000 active pre-paid customers were exposed. T-Mobile said it has reset all PINs and will be notifying affected customers. The company said the hacker obtained “additional information from inactive pre-paid accounts accessed through prepaid billing files” from an unnamed number of accounts. The data did not include financial information or Social Security numbers.
No data from Metro by T-Mobile, former Sprint pre-paid, or Boost customers was included in the breach.
The breach is the fifth, and likely largest, the company has publicly disclosed since 2018, when hackers swiped the data of roughly 2 million customers. T-Mobile disclosed a smaller breach of roughly 200,000 users in January that included phone numbers and some call-related information. No personal or financial information was exposed in that case.
The company confirmed it was investigating a cyberattack on Monday and that it secured the breached servers. T-Mobile said it is still investigating the extent of the breach and is coordinating with law enforcement on the investigation.
The company said it began the investigation late last week when notified about online claims by a hacker that they had infiltrated the company’s systems and stolen data.
The hacker claims to have stolen the sensitive information of more than 100 million of T-Mobile’s customers, as Motherboard first reported. The hacker advertised the sale of an alleged 30 million Social Security numbers and driver’s licenses from the breach.
T-Mobile will offer 2 years of free identity protection services with McAfee’s ID Theft Protection Service to customers whose personal information was exposed.