The breach occurred in late November but was discovered on January 5, based on an internal investigation.
However, the operator insists that passwords PINs, bank account or credit card information, social security numbers or other government IDs.
“We understand that an incident like this has an impact on our customers and regret that this occurred,” T-Mobile said in a statement.
“While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.”
This isn’t the first time in the last few years that T-Mobile has experienced a widespread cyberattack.
In 2021, the operator suffered an attack that exposed almost 77 million customer accounts, names, social security numbers and driver’s license information.
The company subsequently agreed to pay US$350 million to settle customer claims and to spend US$150 million to enhance its cybersecurity practices.
Sam Curry, chief security officer at Cybereason said: “What is or isn't sensitive is an important question to ask. Whether or not sensitive data and financial information was lost isn't the point.
"Customer information is a privilege to hold, not a right; and while it's great that T-Mobile's network wasn't compromised in this instance, and that outright theft wasn't enabled through loss of direct billing numbers, eroding privacy and making it easier for hackers to compromise identities is still important and sensitive.
"It appears that T-Mobile moved quickly and, while the details aren't yet known, the world is paying attention for the results of this investigation.
"Hackers are innovative, and companies with valuable data and services are always a target, but it remains to be seen if the compromises in 2023 are similar to the ones suffered by T-Mobile in 2021. Did the company learn from 2021? Was 2023 unique? Was this a case this time around if anyone can fail occasionally or is it worse than that? Only time and the facts will tell us and tell T-Mobile and fellow practitioners what the new lessons-to-be-learned are.”