Image copyright Reuters

TalkTalk has confirmed the exact scale of last week's cyber-attack, with fewer people affected than earlier thought.

The firm said hackers accessed at most 1.2 million email addresses, names and phone numbers and 21,000 unique bank account numbers and sort codes.

It said the scaling down did not lessen the seriousness of the incident.

Police have made a second arrest, a 16-year-old boy from west London, in connection with the investigation into an alleged data theft from TalkTalk.

He was held on suspicion of Computer Misuse Act offences, and later bailed, after detectives searched an address in Feltham, Scotland Yard said.

On Monday, a 15-year-old boy was arrested and bailed in Northern Ireland in connection with the hacking.

The Metropolitan Police said officers had searched a residential address in Liverpool.

In an update on its website, TalkTalk also said hackers had accessed a maximum of 28,000 obscured credit and debit card details, with the middle six digits removed, and 15,000 customer dates of birth.

The phone and broadband provider, which has more than four million UK customers, said it would be writing to all affected customers to let them know what information had been accessed.

It said that any stolen credit or debit card details were incomplete - and therefore could not be used for financial transactions - but advised customers to remain vigilant against fraud.

TalkTalk chief executive Dido Harding said the scale of attack was "much smaller than we originally suspected", but that did not detract from the seriousness of the incident.

"We know that we need to work hard to earn back your trust and everyone here is committed to doing that," she said.

The TalkTalk website was hit by a "significant" cyber-attack last week.

MPs will launch an inquiry into the attack, with culture minister Ed Vaizey saying the government is not against compulsory encryption for firms holding customer data.