US operator T-Mobile has confirmed that a hacker has accessed nearly 50 million customer records.

The self-styled Uncarrier revealed late on Tuesday that 7.8 million current postpaid customers are affected, as are more than 40 million former and prospective customers who had previously applied for credit with T-Mobile.

The data accessed is a treasure trove for identity thieves. It includes first and last names, date of birth, social security number (SSN) and driver’s licence/ID information. If that wasn’t bad enough, the names, phone numbers and even account PIN numbers of some 850,000 active prepaid customers were also exposed.

“We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information,” T-Mobile said in a statement that offered only a tiny crumb of comfort to the victims.

News of the data breach first appeared on Vice over the weekend, which reported that a hacker was offering for sale personal information relating to more than 100 million T-Mobile customers. The operator on Monday admitted that it had indeed been breached, but at the time its investigation had not found evidence that customer information had been accessed. In an update late on Tuesday, the company broke news that was as unsurprising as it was unwelcome: customer data has been stolen.

“We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” T-Mobile said.

Those affected will be offered a free two-year subscription to McAfee’s ID Theft Protection service, which would normally cost $115 after discounts for an individual user on a single device.

Victims have also been advised to change their account PIN. They will also be offered T-Mobile’s Account Takeover Protection service, which is designed to thwart SIM-swap attackers who try to port phone numbers to new SIM cards.

T-Mobile said it plans to publish a dedicated Website with information about how customers can protect themselves in light of the attack.

With nearly 50 million customer records leaked, it’s a major breach. According to cybersecurity specialist UpGuard, which maintains a list of the top 57 data breaches of all time ranked by number of records exposed, the T-Mobile hack appears to be the largest suffered by a traditional telco. However, it still doesn’t even make the top 40.

Way out in front is adult video-streaming service CAM4, which suffered a server attack that, ahem, exposed the personal information of some 10.8 billion records. Perhaps what is most surprising is that CAM4 appears to have more accounts than there are people here on Earth. Some customers must therefore have multiple profiles and be streaming to themselves, which is definitely normal and nothing to be ashamed about.

In second place, a name that spent years as a punchline (and punching bag) in the telecoms and tech press: Yahoo. The one-time Internet darling let hackers access an estimated 3 billion accounts. What was most shocking about this attack was that it took place in 2013, but Yahoo didn’t report the breach until 2016. Even then, it initially underestimated the number of compromised accounts by 2 billion.

UpGuard’s complete rogues’ gallery is available here. In the meantime, all T-Mobile US customers – including those lucky enough to escape the data breach unscathed – would do well to recall this incident the next time they talk to the customer retention team.