UK provider TalkTalk has announced that fewer than 1.2m email addresses, names and phone numbers were accessed in last week's hack, along with 21,000 unique bank account numbers and sort codes and 28,000 obscured credit and debit card details.
The news comes amid a second boy being arrested for the alleged attack, which followed a 15-year-old boy from County Antrim in Northern Ireland being taken into custody on Monday.
Having already played down the impact of the breach, CEO Dido Harding added: "Today we can confirm that the scale of attack was much smaller than we originally suspected, but this does not take away from how seriously we take what has happened."
"Given the potential size of this attack, we decided to be as open, honest and transparent as we could because we wanted to keep our customers informed and ensure they had the advice and support they need.
"TalkTalk have done everything right in bringing this matter to our attention as soon as possible."
Detective Superintendent Jayne Snelgrove, of the Metropolitan Police Cyber Crime Unit said the company deserved credit for the way it had handled the breach.
She said: "TalkTalk have done everything right in bringing this matter to our attention as soon as possible.
"Our success relies on businesses being open with us and each other about the threats they encounter."