Telecommunications giants AT&T and Verizon haven't addressed the full scope of victims of an ongoing Chinese phone data hacking campaign, according to a new NBC report.

In a media call last week, the FBI told the press that they have yet to fully evict Chinese state-sponsored hackers from U.S. networks and that the agency has spent the past months alerting "high-value intelligence targets" — including the campaigns of Donald Trumpov and Kamala Harris — to the extent of the hack, mainly those of interest to the U.S. government.

But the vast majority of the near-million people affected are most likely average Americans, and most of them have yet to be notified that they're victims. According to NBC, the telecom companies haven't clarified plans to notify customers, either.

The China-backed espionage campaign, labelled Salt Typhoon by Microsoft threat detectors, has utilized what is known as advanced persistent threat (APT) attacks to invade at least eight telecommunications companies for the purposes of exposing personal, individual communications. Recent investigations unearthed the years-long initiative involved the hacking of Americans' data in addition to the monitoring of political targets' communications. It's been called the "worst telecom hack in [U.S.] history by far," by Senate Intelligence Committee chairman Senator Mark R. Warner.

According to NBC, Salt Typhoon also accessed device metadata for non-intelligence targets mainly in the Washington D.C. area, which could have been used to track movements and personal communications although does not provide the content of said communications.

The FCC mandates telecom companies notify customers only when its been established that customers have been or could be harmed by the breach. This includes "financial harm, physical harm, identity theft, theft of services, potential for blackmail, the disclosure of private facts, the disclosure of contact information for victims of abuse, and other similar types of dangers." But definitions and the scope of the breach's harm is up to the discretion of companies themselves.

So far, most of the affected telecom networks have remained tight-lipped over the breach. T-Mobile has alerted customers that an infiltration of their network happened, but have retained that hackers were evicted and no customer data was actually accessed.