Sprint is informing customers today of a serious security breach that has exposed subscriber information like billing addresses, phone numbers, and other detailed account information, according to ZDNet. The breach is a result of vulernability, the details of which are currently unknown, in a Samsung website advertising an “add a line” feature for active Sprint account holders.

Sprint explained the breach in a letter sent out to consumers that was obtained by ZDNet. In the letter, Sprint says it was informed of the “unauthorized access” back in late June:

On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com “add a line” website. We take this matter, and all matters involving Sprint customer’s privacy, very seriously.

What information was involved?

The personal information of yours that may have been viewed includes the following: phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services. No other information that could create a substantial risk of fraud or identity theft was acquired.

Sprint says it reset PIN codes on affected accounts to secure them within three days. But the company is leaving out some crucial details at the moment. We don’t know how many accounts were affected, how long the information was exposed, and what the nature of the vulnerability was that allowed hackers to access the information through a third-party company’s website, especially one as large and (hopefully) equipped to handle threats like these as Samsung.

The Verge has reached out to Sprint for additional comment.