Now those former and prospective customers, along with millions of current T-Mobile subscribers, find themselves victims of a data breach they had no control over. “The first risk is identity theft,” says John LaCour, founder and CTO of digital risk protection company PhishLabs. “The information includes names, social security numbers, driver’s license IDs: all the information that would be required to apply for credit as someone.”

The hack would also potentially make it easier to pull off so-called SIM swap attacks, LaCour says, particularly against the prepaid customers who had their PINs and phone numbers exposed. In a SIM swap, a hacker ports your number to their own device, typically so that they can intercept SMS-based two-factor authentication codes, making it easier to break into your online accounts. T-Mobile did not respond to an inquiry from WIRED as to whether International Mobile Equipment Identity numbers were also implicated in the breach; each mobile device has a unique IMEI that would also be of value to SIM-swappers.

T-Mobile has implemented a few precautions on behalf of victims. It’s offering two years of identity protection services from McAfee’s ID Theft Protection Service, and it has already reset the PINs of the 850,000 prepaid customers who had theirs exposed. It’s recommending but not mandating that all current postpaid customers change their PINs as well, and it is offering a service called Account Takeover Protection to help stymie SIM-swap attacks. It also plans to publish a site for “one-stop information” Wednesday, although the company didn’t say if it would offer any kind of lookup to see if you’re affected by the breach.

Instead, T-Mobile says it will rely on proactive outreach to victims. The carrier didn’t respond to an inquiry from WIRED as to what if any specific plans it had for that communication, and what specific information they’ll be sharing with people whose data was compromised. Even sharing something as simple as a timetable would help, LaCour says, so that people could know they’re in the clear if they haven’t been a T-Mobile customer for a certain number of years.

In the meantime, if you’re a current T-Mobile customer you should go ahead and change your PIN and password; you can do so from your T-Mobile account online. You should take the free two years of ID monitoring, although it’s not yet clear how that will work in practice. You should start using app-based two-factor authentication wherever possible, rather than receiving those codes by text. For a more extreme but still prudent precaution, you can contact the three major credit bureaus and request a freeze on your credit report, which would stop anyone from accessing it or opening new accounts in your name.

Because the US lacks a comprehensive cybersecurity law, agencies like the Federal Communications Commission and Federal Trade Commission have limited ways to apply pressure, says Seton Hall’s Opderbeck, although the incident has already attracted FCC scrutiny. “Telecommunications companies have a duty to protect their customers’ information,” an agency spokesperson said in an emailed statement. “The FCC is aware of reports of a data breach affecting T-Mobile customers and we are investigating.”

If T-Mobile does face repercussions for the breach—its sixth in four years—it would more likely come from a class action lawsuit. Opderbeck says that his research has shown more than 30 data breach settlements in the last few years that resulted in a small cash payout and free credit monitoring as restitution. And Keller notes that even the class action route may be difficult to travel, because of a clause in T-Mobile contracts that can force customers into arbitration.