The cyber criminals also got their hands on customers' names, genders, birthdays as well as bank sort codes, account numbers and home addresses.
The attack was, Vodafone said, well-planned, with “possible inside knowledge used to get deep in the company's IT system.” There are no clues at this point to suggest who did it.
One suspect's house has already been searched, bosses confirmed, and a hunt is underway to track the hackers down.
Vodafone said hackers had not gained access to credit card details, passwords, PIN numbers, mobile phone numbers or transaction details, but bank account numbers were stolen. “We apologize to everyone affected,” it said in Thursday's statement.
It should not, the statement said, be possible for the hackers to access bank accounts with the data they obtained. But the information could be used to make fake email accounts to use in phishing attacks.
Bosses have advised customers to be “be very careful when asked over the phone or via email to give out personal information like passwords or credit card details.”
In August, Vodafone admitted that certain router models had serious safety problems, of which they were aware for months but said nothing. Whether or not the hackers gained data through this hole is not yet clear.