TalkTalk, the phone and broadband giant with 4 million customers, has admitted it suffered a major data breach in which account numbers, addresses and phone numbers have fallen into the hands of online criminals – who have used the data to steal thousands of pounds.

It says a third party contractor which had legitimate access to its customer accounts was involved in the data breach last year, and that it has begun legal action against the supplier.

The admission by TalkTalk comes after furious customers took to the company’s online forum to complain that they have received calls purporting to be from TalkTalk, but which turned out to be fraudsters. Customers say the callers know their TalkTalk account numbers and other personal details, which they use to attempt to gain access to the customer’s computer and to raid their bank account.

In December, the Guardian reported a possible data breach at TalkTalk, thought to have emerged from one of its Indian call centres. At the time, the company said it was investigating the issue, and in January said it was aware of around 100 complaints. But since then, many more customers say they have been contacted by the scammers.

One victim who came forward this week is Graeme Smith, who lives near Chester-le-Street in County Durham. He is still puzzled how the fraudsters, who had Indian accents, were able to make a transfer out of his Santander bank account.

The semi-retired HR consultant was called at 9am one morning by a woman claiming to be from TalkTalk’s fraud team who told him they had detected hackers trying to gain access to his internet account via his router. The caller, he says, knew his name and all his other TalkTalk account details – enough to reassure him into thinking he was really talking to the firm. After being put through to what he was told was a senior technician, he was asked to download some software which allowed the caller to take over Smith’s laptop remotely. Almost immediately his screen flashed up with “files with red crosses” which he was told needed to be removed.

“He said he would transfer the call to the refund department who would arrange compensation of £250 for the inconvenience of being hacked,” he says.

Smith says he was then led to a screen on his laptop showing a range of different bank icons and was asked to click on his bank – in his case Santander. While the scanning was going on, the scammer – a man who gave his name as Alex – said Smith would receive a text message soon on his mobile with an “OTP [One Time Passcode] code”.

“I hadn’t much experience of using these codes before and when the message came through I viewed it quickly. The amount on screen was different but he said this would be because it was in rupees. I was panicking and feeling extremely anxious about getting the threats to my computer sorted – so I passed on the OTP code to him.”

They told him TalkTalk’s refunds department was based in India, and that although the initial repayment was in rupees, it would be converted into sterling when it hit his account.

At this point the scammers appeared to use diversionary tactics designed to keep him occupied to allow the payment to go through. He was asked to leave his landline phone open so they could communicate with him. When he asked how long it would take, “Alex” said it would take some time but he couldn’t forecast how long. Eventually he was told that he should keep it open all night and that they would call him again at 7am the following morning.

“It was then that I became suspicious. I still did not want to close down my computer for fear of losing information but I decided to visit my local cash machine to check my bank account. Instead of receiving a credit of £250 there was a deduction listed as “bill payment” of £2,815. I knew then that I had been scammed and these people were fraudsters. I hurried home and the first thing I did was hang up my landline, dial 1471 to check the receiving telephone number (it was a Malaysian number) so I then closed down my computer altogether. I called TalkTalk who confirmed that I had not received an official call today. I then called my bank and reported the theft of £2,815.”

To his great surprise “Alex” did call back at 6.40 the following morning. When Smith challenged him, calling him a thief, he tried to claim that technical problems had caused the payment. He reiterated that he was a genuine TalkTalk employee and again offered to tell Smith “anything about his TalkTalk bill” to prove his identity.

In a statement, TalkTalk says: “We have become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures. We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly.

“We want to reassure customers that no sensitive information like bank account details has been illegally accessed, and TalkTalk Business customers are not affected. We have taken serious steps to remedy this and we are continuing to work with the ICO [Information Commissioner’s Office]. We want to help our customers protect themselves from scams so we are writing to all customers again to warn them about this criminal activity, with full advice, support and a reminder of the many free services TalkTalk offers to try to stop malicious scams reaching them.”

Santander refuses to refund the money to Smith’s account. It says it is “really sympathetic to Mr Smith’s situation” but holds him responsible for the payment out of his account, and it will therefore not be refunding him. Smith, for his part, says he is certain he did not input or tell the fraudsters his online banking access codes, and he has no idea how they managed to make the payment from his account. The money went into an account held in the name of the money transfer service, TransferWise.

A Santander spokeswoman says: “While we appreciate this was a sophisticated scam, Mr Smith gave personal details by confirming the One Time Passcode to the fraudsters and thus validating and authorising the transfer of funds. The OTP, which Mr Smith received to his mobile phone, would have confirmed that the code was to make a payment of £XXX to account ending XXXX. The OTP is a security measure we put in place to protect customers against fraud, and Mr Smith would have used an OTP code to set this up to his mobile phone. The disclosure of this passcode to a third party is a breach of our terms and conditions, and it is for this reason that we cannot accept any responsibility for the losses on this account.”

Smith remains £2,800 out of pocket. In a statement, TalkTalk says: “We are sorry that Mr Smith has been a target of this highly vicious scam. We are in contact with him to provide support, and we would urge customers who have been victim to any scam where they have revealed financial information to contact their bank. We will continue to support Mr Smith via our dedicated fraud team, and we urge customers to be vigilant.”