A weekend breach of T-Mobile’s systems exposed the personal information of at least 47 million past and current customers, the company confirmed in a statement late Tuesday.
While the company is still investigating the breach, T-Mobile says it is confident they were able to identify and close the illegal access point to its servers.
The information of around 7.8 million current T-Mobile postpaid user accounts, as well as over 40 million records from previous customers or those who had applied for credit with T-Mobile, were accessed in the breach. T-Mobile says “no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.”
But personal data from over 850,000 active T-Mobile prepaid customers, including names, phone numbers and PIN access codes, were exposed in the breach. T-Mobile has already reset all affected PIN numbers, and is in the process of notifying all impacted customers.
T-Mobile currently has “no indication” that any customers’ financial, credit or debit information was released in the hack.
“We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” the company wrote in part. “While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve.”
As a result of the cyberattack, T-Mobile is offering customers two years of McAfee’s ID Theft Protection Service free of charge. The company also recommends all postpaid customers immediately change their PIN number, and will be posting more information on a publicly-available page later Wednesday.
News of a potential hack of T-Mobile’s system was first reported by Vice on Sunday, after reporters for Motherboard — Vice’s digital sector dedicated to “technology, science and humans”— came across a forum post selling data from potentially hundreds of millions of users.
While the post did not contain a direct mention of T-Mobile, the original poster reportedly told Motherboard the sale contained private information from over 100 million customers allegedly stolen from T-Mobile.
In an emailed statement to Spectrum News on Monday, a spokesperson for T-Mobile confirmed an unknown actor accessed T-Mobile's data, but said the company was working "around the clock" to find out if any personal data was revealed in the breach.
NOTE: This story was originally published on Monday and has been updated with new information from T-Mobile.