Hackers who attacked JPMorgan accessed data of 76 million households

Hackers exploited an employee password to crack a JPMorgan Chase server and pull off one of the largest cyber-attacks ever, accessing data on 76 million households and 7 million businesses.

JPMorgan, the largest US bank, outlined the scope of the breach on Thursday. It reassured clients there was no evidence account numbers and passwords were compromised, even though names and contact data were exposed. People who logged on to certain websites or mobile apps had contact information stolen, the company said.

The bank has been struggling to head off damage since the incident was first reported in August. New details of how attackers accomplished the feat over months, including their initial entry, were provided by two people briefed on the investigation. JPMorgan said the threat now was phishing, in which criminals try to trick people into handing over more valuable data, such as user IDs and passwords.

"If they find the CEO of a company, they know this person's worth a lot; they would try to attack that person," said Jeff Tjiputra, cybersecurity programme chairman at the University of Maryland University College.

In addition to contact information, hackers tapped data identifying whether customers were clients of the private bank, mortgage, auto or credit card divisions, said Patricia Wexler, a JPMorgan spokeswoman.

"There's no evidence that account information - things like account numbers, passwords, log-in IDs - were accessed, viewed or acquired," Wexler said. For example, she said, the hackers wouldn't know the balance of a customer's mortgage, only that they were a client of that unit.

JPMorgan has 65 million customers and some of those affected by the incursion were outside the US, she said. Information on both current and former customers was exposed, as well as on non-customers, including people who may have logged on to JPMorgan websites to conduct transactions with bank clients.