T-Mobile US detailed the scale of a security hack uncovered earlier this week, estimating data on 7.8 million of its post-paid base, 850,000 prepaid and more than 40 million former or prospective customers had been exposed.

Reporting its preliminary findings, the company outlined information on contract, former and prospective customers compromised did not include phone, account, or personal identification numbers; passwords; or financial details. Former and prospective customers impacted had previously applied for credit.

Data accessed on these groups included full names, dates of birth, social security numbers and driver licence details.

Prepaid user data exposed comprised names, phone numbers and account PINs. The company noted no Metro by T-Mobile, former Sprint prepaid or Boost Mobile customers were affected.

T-Mobile is yet to complete the investigation, which is being conducted along with various cybersecurity experts.

“As a result of this finding, we are taking immediate steps to help protect all of the individuals who may be at risk from this cyberattack,” the operator stated.

Customers are being offered two years of free identity protection software and are being asked to change their PINs as a precaution. It is also offering enhanced account takeover protection capabilities.

“We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” it added.

T-Mobile confirmed the breach on 16 August following media reports stating data on 100 million people stolen from its servers was for sale online.