Data was compromised between the dates of September 1st, 2013 and September 16th, 2015, so anyone who got a credit check for either a new line of service or a new device during that time could be affected. Legere did point out that bank account or credit card payment information was not revealed, and Experian says that the company's consumer credit database was not affected -- it seems this attack was limited to T-Mobile subscribers only.
In his typically direct fashion, Legere said that he was "incredibly angry" about the attack and also noted he would conduct a "thorough review" of T-Mobile's relationship with Experian, but he was also quick to stress that neither T-Mobile's network nor its payment systems were attacked here. It seems all the blame goes to Experian in this case.
As is becoming commonplace when a major company gets hit with these increasingly frequent hacks, T-Mobile and Experian are offering two years of free credit monitoring and identity protection services. It's not clear if T-Mobile is contacting affected customers directly, but the company says anyone concerned they may have been impacted is free to sign up for the credit protection.
Update: the headline for this story has been changed to reflect that not all 15 million affected by this breach are T-Mobile customers; some are people who applied for a T-Mobile account but didn't actually become customers because of the credit check. John Legere also confirmed on Twitter that affected customers will see a message alerting them they were part of the hack. Experian will also be contacting affected individuals in writing.
[Image credit: Associated Press / Jeff Chiu]