Wireless carrier T-Mobile said on Wednesday that hackers accessed sensitive personal information from 7.8 million customers, with an estimated 40 million former or prospective customers also impacted.
The stolen data included social security and driver’s license numbers, which could be used for identity theft, T-Mobile acknowledged while indicating that no passwords or financial information was accessed.
“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile,” a company statement said.
Additionally, T-Mobile said hackers obtained account information on an estimated 850,000 active T-Mobile prepaid customers — who have accounts with fewer credit requirements.
T-Mobile said it was taking steps to protect affected customers including identity theft protection for two years.
The carrier began a review following a report that hackers accessed data from 100 million accounts and were selling some data on dark web forums.
According to screenshots posted by the security website Bleeping Computer, personal data from at least 30 million people were offered for sale on dark web forums for the equivalent of $280,000 in bitcoin.
The breach was first reported by the Vice website Motherboard, which quoted a seller claiming to offer “full customer info” of T-Mobile users.
The reports come following a wave of data breaches and ransomware attacks affecting a wide range of companies and organizations including a US pipeline operator, Ireland’s health IT system and a major airline in India.