T-Mobile said "bad actors" obtained personal data of approximately 37 million of its users through a breach.
The stolen data included customer names, billing addresses, emails, phone numbers, dates of birth and T-Mobile account numbers, according to a filing summary addressed to the U.S. Securities and Exchange Commission (SEC).
The phone company said the hacker did not access its customers' "most sensitive" information, such as payment card information or personal identification numbers.
"We are continuing to diligently investigate the unauthorized activity," T-Mobile wrote to the SEC. "In addition, we have notified certain federal agencies about the incident, and we are concurrently working with law enforcement. Additionally, we have begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements."
The breach was believed to have started on November 25, 2022, but was not identified until Jan. 5, after which T-Mobile said it blocked access within a day.
A 2021 data breach affected 77 million T-Mobile customers, which led the company to pay out $350 million to lawyers and those affected. They then allocated an additional $150 million to data security.
The 2021 breach saw the customer data sold on the dark web and as of this writing, the most recent breach has not resulted in the data being sold.
The internal investigation is ongoing, with T-Mobile saying it would inform affected customers about the breach.