The breach of T-Mobile US Inc. allowed hackers to steal information about more than 40 million people and potentially sell the data to digital fraudsters and identity thieves.

Here is what we know about the hack, which data was stolen and what customers should do to protect themselves.

What was the T-Mobile data breach?

T-Mobile said it learned late last week that an individual in an online forum claimed to have breached its systems and was attempting to sell stolen customer data. The company confirmed on Aug. 16 that it was hacked, adding the following day that attackers made off with personal data from nearly 48 million people. Those victims include 7.8 million current postpaid customers, T-Mobile said, and about 40 million former and prospective customers who applied for plans.

While U.S. officials have warned of an uptick in ransomware attacks in recent months, T-Mobile’s hackers didn’t lock up the company’s systems and demand payment. Instead, attackers broke into the company’s servers through an open access point, stole data and have since tried to sell different sets of the information online for between $80,000 and $270,000 worth of bitcoin.

The attack is the latest and most severe in a string of cybersecurity incidents at the company, said Allie Mellen, a cybersecurity analyst at research firm Forrester Inc.

“It seems T-Mobile has not learned from these previous breaches, especially considering they didn’t know about the attack until the attackers posted about it in an online forum,” she said.

What data was stolen?

The pilfered records vary by group. Records on postpaid customers and prospective customers include victims’ first and last names, dates of birth, Social Security numbers and driver’s license information, according to T-Mobile. These stolen files don’t include account numbers, passwords or PIN codes.

Hackers also seized names, phone numbers and account PIN codes for about 850,000 prepaid customers, according to T-Mobile.

“We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information,” the company said.

How can criminals use my personal information?

Information contained in the breach is regarded as sensitive data because it can be used for fraud. Criminals may be able to open bank accounts or take out loans in others’ names, or steal their identities, for example. Such actions can damage personal economic gauges, including credit ratings, and cause problems for consumers who later apply for credit such as mortgages.

“You can start forming an identity on somebody when you start saying, ‘I’ve got a name, I’ve got an address, I’ve got a Social Security number, I’ve got a driver’s license.’ You can start putting these things together,” said Tom Kelly, president of data-breach response company Identity Theft Guard Solutions Inc., known as IDX.

Hackers also may be able to use compromised information to carry out SIM swapping attacks, in which a mobile phone is effectively cloned by another device and takes over a number. These attacks can have far-reaching consequences, enabling criminals to reset passwords or bypass tougher security measures such as two-factor authentication, in which a unique number is often sent to or created on a mobile device for identity verification. This can then allow crooks to break into email accounts, which may contain further sensitive information about bank accounts, pensions or other services.

T-Mobile is offering affected customers two years of free identity protection services, including credit file monitoring.

Photo: David Paul Morris/Bloomberg News

What should customers do?

T-Mobile has set up a website containing information about the breach and advice on how consumers can protect themselves. This includes changing PIN codes and passwords and activating certain services that T-Mobile offers. Some of these services are limited to postpaid customers, including additional security measures that prevent numbers from being ported to another device remotely.

The company is offering affected consumers two years of free identity protection services through McAfee Corp., including credit file monitoring. Experts recommend that people concerned about identity theft freeze their credit files with the three largest bureaus— Experian, Equifax and TransUnion. Doing so will stop criminals from applying for credit in your name, but some say this effectively passes responsibility on to the victims of data breaches.

“Unfortunately, consumers do have to do all the damage control for these companies, which is frustrating,” said Amy Keller, a partner at law firm DiCello Levitt Gutzler LLP, who has served as co-lead counsel on class-action lawsuits over major data breaches, including Equifax’s 2017 data breach.

Are authorities investigating this hack?

The Federal Communications Commission, which regulates the telecommunications sector, said Wednesday it is investigating the incident.

“Telecommunications companies have a duty to protect their customers’ information,” a spokeswoman said.

The Federal Trade Commission also investigates personal data breaches, including an inquiry into the Equifax hack that ended with a settlement of at least $575 million. The FTC declined to comment on T-Mobile.

T-Mobile said it is coordinating with law enforcement as it investigated the hack. A spokesman for the Federal Bureau of Investigation said it is aware of the incident but declined to comment further.

Write to David Uberti at david.uberti@wsj.com and James Rundle at james.rundle@wsj.com