Global credit bureau Equifax has revealed attackers exploited a website vulnerability to gain access to the personal files of "potentially" 143 million US consumers between mid-May and July.
The company said the details accessed included names, social security numbers, and, in some cases, driver’s license numbers.
The attackers also got a hold of "limited" personal information of certain UK and Canadian residents.
Equifax, which discovered the unauthorised access on July 29, said there was no evidence of a breach into its core consumer or commercial credit reporting databases.
It has hired a cyber security firm to investigate the breach and said it would work with UK and Canadian regulators to determine the next steps.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes," chairman and chief executive officer Richard F. Smith said in a statement.
"We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all US consumers, regardless of whether they were impacted by this incident."
Equifax has created a website to help consumers determine if they have been affected, and to sign up for one year of free credit file monitoring and identity theft protection.
The breach could be one of the biggest in the United States.
Last December, Yahoo said more than 1 billion user accounts was compromised in August 2013, while in 2014 e-commerce company EBay had urged 145 million users to change their passwords following a cyber attack.