The BBC was contacted by someone in the hacking community who obtained a copy of the full TfL database.
It contains names, email addresses, home phone numbers, mobile phone numbers and physical addresses of an estimated 10 million people.
The person, who did not reveal their identity, shared the database with the BBC so it could verify the data.
The data, deleted by the BBC after viewing, contains millions of lines of names and personal details - including my own.
In total it has nearly 15 million 'lines' of data, but some of these are thought to be duplicates.
TfL has said it carried out a thorough investigation into the hack, but refused to give a precise figure for how many people were affected.
Now, the organisation has admitted it sent emails to 7,113,429 customers with an email address registered to their TfL account to notify them of the incident.
But it said the emails had a 58% open rate - suggesting millions of people impacted did not read the statutory notification or that those who, like myself, did not have an active email registered were not warned that criminals had their data.
The risk to individuals remains low but being a victim of a data breach increases the likelihood of being targeted in scams and fraud attacks.
Stolen databases are often traded or shared in hacker communities and forums.
The person who shared the database with the BBC says they are not aware of the data being used to carry out any secondary attacks yet.
TfL said at the time of the incident it had identified about 5,000 customers at heightened risk because their Oyster card refund data may also have been accessed, which could include bank account numbers and sort codes.
The company said "as a precautionary measure" it wrote to these people on email and by post offering support.
"In addition, we publicised that information on customer names and contact details may have been taken - including email addresses and home addresses, where provided," a TfL spokesperson added.
Some hacked companies do tell the public the full extent of data breaches, especially in other countries:
In the Netherlands, telecoms firm Odido has been transparent in its response to an ongoing data extortion attack, saying six million customers are impacted
In Japan, beer maker Asahi has explained exactly what data was stolen from around two million people during a ransomware attack
In South Korea, e-commerce giant Coupang told the public 33 million customers had been affected and even offered vouchers as compensation.
But companies falling victim to cyber-attacks in the UK are not legally required to publicly disclose the total number affected by breaches.
Last year the Co-op admitted - when asked during a live TV interview on the BBC - that 6.5 million people were affected by its breach last spring.
Neither Marks and Spencer nor Harrods have put a number on breaches occurring around the same time.
Data protection and cyber security experts say not revealing this information does little to help the fight against cyber-crime.
"After a breach it's essential that individuals are informed exactly what has happened to their data and what the potential risk might be to their privacy," says data protection consultant Carl Gotleib.
He adds knowing the scale of the breach is important "as large datasets can be more valuable to attackers and more likely to be used in future fraud attempts".
Security researcher Kevin Beaumont said informing the public of the scale of a breach was "the most basic requirement for transparency", adding UK regulation or the law should change to help victims of data theft.
TfL was cleared by the UK's data watchdog, the Information Commissioner's Office (ICO), of any wrongdoing for the breach and its handling of the aftermath.