British broadband provider TalkTalk has been hacked, the company announced late Thursday, and customers' data — including credit card details — may have been stolen.

In a statement, TalkTalk called the attack "significant and sustained." Up to 4 million customers may be affected, according to the Financial Times. The Metropolitan Cyber Crime Unit is now investigating.

TalkTalk chief executive Dido Harding told the BBC that she had received an email from someone claiming to be the hacker who was demanding money from the company.

TalkTalk shares have plummeted 9% on the news.

It's not clear who is behind the hack yet, but a group claiming to be a Russian jihadist cyberterrorist group is claiming responsibility. BuzzFeed has spoken to a TalkTalk customer included in an apparent preliminary dump of customer data, and it appears to be legitimate — although the hacker's stated political affiliation could well be false.

Here's what customer data TalkTalk says may have been "accessed" — and presumably stolen:

Names

Addresss

Dates of birth

Email addresses

Telephone numbers

TalkTalk account information

Credit card details and/or bank details

The company has around 4 million UK customers.

The BBC is reporting that TalkTalk's website was targeted by a DDoS attack — overwhelming servers with traffic. This on its own wouldn't give the attacker access to internal data, however.

The TalkTalk website is still unavailable; as of Friday morning, this is what users attempting to access their account see:

Here's what the news has done to TalkTalk's share price:

TalkTalk customers have been hit with hack attacks before. In a statement issued in August 2015, it said its mobile sales site had been targeted by "a sophisticated and co-ordinated cyber attack, along with a number of other similar websites." The company warned that customer details may have been compromised in that attack.

In February 2015, it announced that "thousands" of customers' information was also stolen.

It's not yet clear whether the hackers gained access to customers' full credit card details, or if they were at least partially encrypted (if they weren't, it'd be a major security issue). The company says that "not lal of the data was encrypted" — had it been, it would be very difficult for the attacker to make any sense of.

And even if the attacker doesn't have access to credit card data, it still puts customers at risk of fraud and scams.

Large sets of stolen customer data like this are often sold on dark web forums, where scammers can cross-reference them with other stolen datasets and use the information to impersonate and defraud the victims.

Fraudsters have used data stolen in previous TalkTalk hacks to impersonate company employees and trick customers into handing over more details. One man was scammed out of £2,800 after someone claiming to be from TalkTalk's fraud team called him and told him there was an issue with his account.

The BBC reports that TalkTalk is offering affected customers a year of free credit monitoring.

In a statement, TalkTalk said:

We would like to reassure you that we take any threat to the security of our customers’ data very seriously. We constantly review and update our systems to make sure they are as secure as possible and we’re taking all the necessary steps to understand this incident and to protect as best we can against similar attacks in future. Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent.