Chung Sung-Jun/Getty Images
On Friday, the company confirmed it had received an email demanding money, though it said it didn't know if it was legitimate.
Krebs says in a blog post published Saturday that a "source close to the [police] investigation" told him that the would-be-extorter provided "evidence" that they were the hacker in the form of an internal database containing details of 400,000 customers.
They are apparently threatening to release the data if they are not paid, and are asking for the payment to be made in bitcoin, an anonymous digital currency.
TalkTalk announced it had been hacked on Thursday, and that as many as 4 million customers' details may be affected. These include email addresses, banking info, and phone numbers.
Krebs' report comes at the same time as a new statement from the company, downplaying the hack somewhat. It now says that "this cyber attack was on our website not our core systems," and that the company did not store full credit card details, "and therefore are not usable for financial transactions."
Passwords have not been accessed, the company says.
However, some of the customer data was stored in an unencrypted format, as the company initially confirmed on Friday. Encryption is a way of scrambling data in such a way that it is unintelligible without the correct password or key, and is standard practice for protecting sensitive information.