TalkTalk has revealed that 1.2 million customer details were stolen in an attack on its computer systems last week.
The internet service provider, which has been hacked three times this year, was previously unsure about how many of its four million customers had had their data compromised.
The details that were stolen included customer email addresses, names and phone numbers, in addition to 28,000 obscured credit and debit card details, and just under 15,000 customer dates of birth.
On Monday, a 15 year old from County Antrim in Northern Ireland was arrested after being implicated in the attack.
Today, the Metropolitan Police said that a second boy, 16, from Feltham in west London, had also been arrested in connection with the incident.
Police have confirmed that officers carried out a search at a residential property in Liverpool in connection with the cyber-attack, but have released no further details.
TalkTalk said that the amount of data that was stolen was far less than it had feared although it still advised customers to be vigilant and take all precautions possible to protect themselves from scam phone calls and emails.
A spokesman for the company added: "Since the cyber-attack on our website on Wednesday 21st October 2015, we have been working to establish what happened and, importantly, understand the extent of any individual customer data stolen during this attack.
"Our investigation continues, but we now know the extent of the data accessed is significantly less than originally suspected.
"As we have previously confirmed, the credit and debit card details cannot be used for financial transactions. In addition, we have shared the affected bank details with the major UK banks so they can take their usual actions to protect customers' accounts in the highly unlikely event that a criminal attempts to defraud them."
Gerard Bauer, vice president of cyber-security company Vectra Networks, said customers are always advised to use different email and password combinations for online services but often ignore this advice.
“With live British Gas and TalkTalk account credentials both currently in the public domain, cyber criminals will be attempting to use those same email addresses and password combinations elsewhere too,” he said.
“This provides an attack entry method that could allow cyber criminals to bypass traditional security defences in order to enter and exploit internal systems with the appearance of a legitimate user, which could allow them a cyber foothold within their targeted organisations.
“Organisations need to adopt a ‘we’re already compromised’ mindset. Put in place real-time cyber threat detection capabilities that allow them to identify and shut down in-progress attacks within their networks as early as possible.”