While initially denying the hacker's claims that they had the information of 100 million T-Mobile customers, the telecom giant admitted that more than eight million customers had their information lost in the cyberattack.
"Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts' information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers," T-Mobile's public relations team said in a statement.
"At this time, we have also been able to confirm approximately 850 000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed."
The company said it will be sending out letters to victims and is offering affected customers two years of free identity protection services with McAfee's ID Theft Protection Service.
They also urged all T-Mobile postpaid customers to change their PIN numbers through their T-Mobile account online or through contacting the Customer Care team by dialing 611.
T-Mobile reiterated that their investigation did not uncover evidence that any postpaid account PINs were compromised. The company will additionally be offering an "extra step" to protect the accounts of postpaid customers.
There will also be a webpage designed to help victims understand what happened and what they should do.
"We have already proactively reset ALL of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed," a T-Mobile spokesperson said, admitting that social security numbers, names, dates of birth, and driver's license information had been accessed.
"We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files. No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file."
T-Mobile called the attack "highly sophisticated" and said the investigation has been "exhaustive," adding that law enforcement was contacted.
They confirmed what the hacker said earlier this week -- that the access point used to gain entry to T-Mobile's systems had been closed.
"We take our customers' protection very seriously, and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack," T-Mobile explained.
The company has been under fire since an unknown cyberattacker boasted about stealing 106GB of data. They offered a sample of the stolen data on an underground forum allegedly containing 30 million social security numbers and driver's licenses for the price of six Bitcoin.
The unnamed hacker later spoke to Bleeping Computer and shared a screenshot of their SSH connection to Oracle's production server. According to their interview with the news outlet, they did not try to ransom T-Mobile because they already had buyers online.
The hackers also told another security researcher that they attacked in retaliation for the treatment of John Erin Binns, a cybercriminal implicated by US law enforcement in the Satori botnet conspiracy.
"The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019," the hacker allegedly told Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock.
"We did it to harm US infrastructure."