J.P. Morgan Chase & Co learned about hackers who stole the bank's contact information for 76 million households and 7 million small businesses through a corporate event that it sponsors, the New York Times and Wall Street Journal reported, citing people familiar with the matter.
According to the reports, the bank discovered that the intruders had used some of the same offshore servers to hack both the bank and the website of the JPMorgan Corporate Challenge.
The New York Times said the breach was part of a repository of a billion stolen passwords and usernames from some 420,000 websites that a Milwaukee-based security consulting firm, Hold Security, had traced to a gang of Russian hackers.
Further investigation by Hold and JPMorgan security specialists revealed that in April the hackers had obtained the website certificate for the Corporate Challenge site's vendor, Simmco Data Systems, allowing hackers access to any communications between visitors and the website, including passwords and email addresses, the Times reported.
It said Hold Security began informing its clients of the breach around August, and JPMorgan officials then told Simmco Data. The bank also looked at traffic on its own network and discovered the same hackers had breached that system.
The hackers had originally gained access to the bank's network by compromising the computer an employee with special privileges had used both at work and at home and then moved across the bank's network to access contact data, the WSJ reported.
The Corporate Challenge website was later taken offline after the hacking of the site was discovered, the Journal reported, but the site was restored by the bank ahead of upcoming races in Shanghai and Singapore, although payments have been moved to a Chase website.
Officials at J.P. Morgan Chase were not available for comment.
Earlier this month, Reuters had reported that two US states were investigating the theft of customer records in a massive cyberattack uncovered over the summer.