UK carrier Three Mobile was the victim of a hacking scheme that has reportedly left the records of millions of customers exposed.

According to multiple UK media reports citing both Three and the National Crime Agency (NCA), hackers gained access to a Three database containing the account details of possibly six million customers.

Payment data, including bank account and card numbers, was not exposed, but the hackers did have access to customer names, addresses, phone numbers, and dates of birth.

It is believed that the hackers used the database to find customers eligible for handset updates and then place orders for the new phones, intercepting the parcels as they arrived and reselling the stolen phones.

Three has been quoted as saying it has seen an increase in phone thefts and upgrade scams recently, including at least eight cases of handset upgrades being ordered and then stolen while in transit. Thefts at retail stores have also been on the rise.

The NCA has arrested two men, one from Orpington, Kent, and the other from Ashton-under-Lyne, Manchester, on computer misuse allegations. A third man was arrested for allegedly attempting to pervert the course of justice.

This sort of scam isn't unknown. In 2014 workers at an AT&T service contractor were found to have been stealing account info in order to unlock and resell stolen phones.

Earlier this year, fellow UK carrier TalkTalk estimated that it had lost more than £60m as a result of a 2015 breach that exposed the account details of 156,000 customers. ®