Almost 157,000 TalkTalk customers had their personal details hacked in last month’s cyber-attack on the telecoms company.

Talk Talk said the total number of customers affected by the attack two weeks ago was 156,959, including 15,656 whose bank account numbers and sort codes were hacked.

The total is 4% of TalkTalk’s 4 million customers and is a small fraction of the number feared when news of the attack broke. The number of customers whose bank details were stolen is lower than an estimate of less than 21,000 released a week ago.

The company said 28,000 credit and debit card numbers, with some digits obscured, stolen by the hackers cannot be used for payment and customers cannot be identified from the data.

TalkTalk said it had worked to establish how much personal data had been stolen in the hacking attack on 21 October and that it was now able to publish definite numbers. It advised customers to be on guard against scam emails and phone calls and said the stolen information on its own could not lead to financial loss.

When the cyber-attack was revealed, TalkTalk said it did not know how many customers were affected, raising concerns that hundreds of thousands of customers could be at risk. The company was criticised for its lack of information and for failing to to take precautions after being hacked twice before this year.

TalkTalk said: “Our ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected. It was a difficult decision to notify all our customers of the risk before we could establish the real extent of any data loss. We believe we had a responsibility to warn customers ahead of having the clarity we are finally able to give today.”

Two teenage boys have been arrested and bailed in connection with the cyber-attack – a 16-year-old from west London and a 15-year-old from County Antrim, Northern Ireland. TalkTalk said the company and the Metropolitan police were continuing their investigations.

TalkTalk said it would not contact customers about the hacking incident and ask for bank details or other personal or financial information.