A compromise of an unnamed marketing vendor used by AT&T has exposed data associated with nearly 9 million wireless telecom accounts.

The breached data did not contain payment information, account passwords, Social Security numbers, or other personally identifiable information, AT&T said in a statement provided to Dark Reading. Instead, the cyberattack allowed unauthorized access to information used to determine eligibility it said, characterizing the data as years old. 

The mobile carrier is notifying affected customers, it said. According to notification letter in an AT&T Community forum.

"We recently determined that an unauthorized person breached a vendor's system and gained access to your Customer Proprietary Network Information (CPNI)," the data breach notification letter in the AT&T community forum read. "In our industry, CPNI is information related to the telecommunications services you purchase from us, such as the number of lines on your account or the wireless plan to which you are subscribed."

It added, "​We have notified federal law enforcement about the unauthorized access of your CPNI as required by the Federal Communications Commission. Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred.​"