Hackers may have gotten customers' names and emails from Epsilon, which is a Dallas-based company that manages email communications for about 2,500 major companies.
Among the affected companies are banks such as Capital One Financial Corp., Barclays Bank, U.S. Bancorp and Citigroup Inc., JPMorgan Chase & Co., and retailers including Best Buy Co., TiVo Inc., Walgreen Co. and Kroger Co.
The College Board, the not-for-profit organization that runs the SATs, also warned that a hacker may have obtained student email addresses.
Walt Disney Co.'s travel subsidiary, Disney Destinations, sent emails warning customers on Sunday.
Epsilon said Friday that its system had been breached, exposing email addresses and customer names but no other personal information.
But the danger is that consumers could accidentally expose passwords, credit card numbers and other personal information to criminals.
It's a standard tactic among online fraudsters to send emails to random people, purporting to be from a large bank and asking them to login in at a site that looks like the bank's site. Instead, the fraudulent site captures their login information and uses it to access the real account.
How it happened hasn't been explained yet, but according to Symantec, makers of Norton AntiVirus, consumers can now expect increased spam and phishing attacks. The Associated Press contributed to this report.