The cellphone carrier said the stolen data included first and last names, birth dates, Social Security numbers and driver’s license information from a subset of current and potential customers. The victims included people who applied for credit with T-Mobile—regardless of whether they ended up doing business with the carrier—and about 7.8 million current subscribers with postpaid plans.
“Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers,” the company said.
T-Mobile said the breach also exposed the names, phone numbers and account PINs of about 850,000 of its customers on prepaid plans, which don’t require a credit check. Users of its Metro by T-Mobile, legacy Sprint and Boost Mobile brands weren’t part of that group.
The company didn’t disclose the extent to which the various victim groups overlapped. Some of the 40 million people who lost their personal credit details might have been included among the count of users with postpaid plans, which often require a social-security number or other information to set up an account.
The admission is the latest setback for T-Mobile, which disclosed the breach earlier this week in response to reports of its customer information for sale on a hacker forum. Vice’s Motherboard tech site earlier reported on the breach.
The company said early Wednesday that it had reset the PIN codes of all the affected prepaid accounts and recommended that postpaid users do the same. The carrier said it would offer two years of free identity protection services from security firm McAfee.