Millions of live e-mail addresses are thought to have been stolen in an attack on US marketing firm Epsilon.
It handles customer communications for many household names and sends more than 40 billion e-mails annually.
Epsilon has more than 2,500 clients including Best Buy, TiVo, Walgreens, Capital One, JP Morgan and Citigroup.
Many Epsilon clients have contacted customers warning that attackers may use the stolen data to con them out of more information.
In a terse statement on its website, Epsilon said it had detected an incident in which "clients' customer data were exposed by an unauthorized entry into Epsilon's e-mail system".
It said the only information stolen was e-mail addresses and an associated customer name. No other personal identifiable information was exposed. It said it was conducting a full investigation into how its systems were penetrated.
Epsilon did not specify which customer lists for its many clients had been stolen.
However, many firms that use Epsilon contacted their customers to inform them about the data breach.
Barclays Bank, which runs Visa credit cards for US retailer LL Bean, warned customers that they may soon get spam seeking to elicit more personal information.
Best Buy, TiVo, Walgreens, Capital One, JP Morgan and Citigroup, Kroger, Hilton Honors and others all issued similar e-mail messages to customers.
Also exposed were e-mail addresses for the US College Board which handles communications for more than seven million students.