The cyber attack on TalkTalk was "smaller" than originally thought, but customers' bank account and sort code details may have been accessed, the company's chief executive says.
Dido Harding said any credit card details stolen would have been partial.
She added that the information hackers may have accessed would not have been enough to withdraw money "on its own".
The company also said it would "pause" marketing - including its high-profile advertising on X Factor.
Some customers have criticised the company's handling of the attack - saying they have received no contact.
Others criticised its refusal to let them cancel contracts for free.
In a statement on Saturday afternoon, TalkTalk said the attack was on its website, where full card details are not held - not on its core system.
Any credit card details accessed were incomplete - with many numbers appearing as an x - and "not usable" for financial transactions, it added.
Ms Harding said email addresses may also have been stolen and urged customers to remain vigilant.
But she told Sky News: "It is good news that it is a smaller attack than we had originally thought".
The police are continuing to investigate, the company added.
On Thursday, TalkTalk first revealed it had been subject to a cyber-attack in which personal and banking details may have been accessed by hackers.
The phone and broadband provider said it did not know how much of the customer information was encrypted.
It said it would contact all its four million current customers and has said an unknown number of previous customers may also be at risk.
A number of current customers have contacted the BBC to say they have had no correspondence, however.
One customer, Frank Wile, from Newbiggin, Northumberland, said the only information he had received was from the media.
"No phone calls or emails at all from TalkTalk; in fact the silence is deafening," he added.
Richard Bickley, from Milton Keynes, attacked the company for refusing to allow people to leave their contracts early without charge.
TalkTalk has said it will consider requests on a case-by-case basis later when more information is known.
Ms Harding told the BBC on Friday: "Waiving standard terms and conditions is not something sensible I can do today."
Some customers have also said money has gone missing from the their bank accounts.
Sarah Laird said her parents had around £9,000 taken after receiving a call purporting to be from the company. They were first contacted on Sunday, she said.
Hilary Foster told the BBC she had lost £600 from her account.
"I'm still very angry [about] the fact that my details are potentially out there somewhere on the internet and I'm going to have to keep checking my bank statements now for a long time," she said.
But TalkTalk said there was currently no evidence that customers' bank accounts had been affected as a result of this week's attack.
"We do know that there are a small number of customers who have previously been targeted by criminals and fallen victim to scams, and we are continuing to support those affected," the company said in a statement.
What should you do if you think you're at risk?
- Report any unusual activity on your accounts to your bank and, if you are in England, Wales or Northern Ireland, to the national fraud and internet crime reporting centre Action Fraud on 0300 123 2040 or www.actionfraud.police.uk. If you are in Scotland, call Police Scotland
- TalkTalk is advising customers to change their account password as soon as its website is back up and running and any other accounts for which you use the same password
- Beware of scams: TalkTalk will not call or email customers asking for bank details or for you to download software to your computer, or send emails asking for you to provide your password
There have been two other data breaches affecting TalkTalk customers in recent months.
In August, the company revealed its mobile sales site had been targeted and personal data breached.
And in February, TalkTalk customers were warned about scammers who had managed to steal thousands of account numbers and names. The attacks are understood to be unrelated.
The Metropolitan Police says it is in the early stages of investigating the latest hack, as well as a ransom demand from a group purporting to be behind it.
No arrests have been made.
TalkTalk said there was a chance that some of the following customer data had been accessed:
- Names and addresses
- Dates of birth
- Email addresses
- Telephone numbers
- TalkTalk account information
- Partial credit card details
- Bank account numbers and sort codes
Meanwhile, business leaders called for urgent action to tackle cyber-crime. The Institute of Directors said only "serious breaches" made the headlines, but attacks on British businesses "happen constantly".