T-Mobile hack detailed: More than 47 million impacted in huge data breach

T-Mobile has confirmed more details of its huge hack, confirming that personal information on around 7.8 million current users and over 40 million former or prospective customers have been stolen from the carrier's compromised systems. The hacked data includes names, date of birth, social security number, and driver's license or other ID information for an unspecified percentage of the affected users.

Word of the T-Mobile hack broke earlier this month, with the carrier saying that it had been alerted to the security breach amid claims that customer data was up for sale. Earlier this week, T-Mobile confirmed, "a subset of T-Mobile data had been accessed by unauthorized individuals."

The good news is that the access point which the carrier believes was used in the hack has now been closed. T-Mobile is working with law enforcement, and the investigation is still underway. "We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information," T-Mobile insists.

Still, that leaves plenty of personal data which could be used for phishing and more. "Some of the data accessed did include customers' first and last names, date of birth, SSN, and driver's license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers," the carrier admits.

Meanwhile, around 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were also exposed, the carrier has confirmed. All of those impacted PINs have already been reset, as a security measure. Customers with Metro by T-Mobile, former Sprint prepaid, and Boost customers were not impacted.

"We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files," T-Mobile adds. "No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file."

It's an embarrassing turn of events for T-Mobile, and not the first time a huge number of user accounts were compromised in this way. Back in late 2015, for example, personal data on 15 million subscribers was stolen, including social security numbers and more. Another hack two years later saw the carrier criticized for lackluster security.

While the full investigation is still ongoing, T-Mobile has already said that it will be offering customers two years of identify protection services under McAfee's ID Theft Protection Service. All T-Mobile postpaid customers are recommended to change their PIN, even though, as T-Mobile adds, "we have no knowledge that any postpaid account PINs were compromised."

Account Takeover Protection capabilities for postpaid customers are also available, though T-Mobile will not be activating them proactively. Instead it's hoping customers look at a new page it plans to publish today, with more guidance.

Update: T-Mobile has published its new support page.