T-Mobile US overnight confirmed personal information on current, former, and prospective customers was exposed and stolen in a “highly sophisticated cyberattack” against its systems. 

“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile,” the operator said in a statement.

The carrier said its investigation is still underway and it continues to learn additional details, leaving room open for the possibility that the extent of the attack is even greater and potentially as bad as the hackers alleged earlier this week. Hackers claimed personal data on more than 100 million customers was stolen during the attack.

T-Mobile thus far claims personal data on nearly 49 million individuals was compromised, adding that “some additional information from inactive prepaid accounts accessed through prepaid billing files.”

Initial details on the number of individuals involved, according to T-Mobile, calculates to about 15% of the total U.S. population.

T-Mobile said the stolen data includes customers’ first and last names, dates of birth, social security numbers, and driver’s license information. The operator also disclosed approximately 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were exposed. “No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed,” the operator said in a statement. 

T-Mobile said it has yet to uncover any evidence the stolen data included financial information, including credit card details, or other payment information from customers. 

The operator said it “began an exhaustive investigation into these claims and brought in world-leading cybersecurity experts to help with our assessment.” 

As more details emerge, the scope of the damage done could be worse than what the operator has discovered thus far. Analysts yesterday told SDxCentral this is likely the largest carrier breach on record, and noted that this marks T-Mobile’s sixth-known data breach in four years. 

T-Mobile said it’s contacting customers and other individuals who may be at risk from this cyberattack and offering free access to identity protection services. The operator also encourages all postpaid customers to change their PIN, adding “this precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised. 

“We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” the operator said in a statement. “While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve.”