NEW YORK — With the possible theft of millions of consumer email addresses from an advertising company, several large companies have started warning customers to expect fraudulent emails that try to coax account login information from them.
A dozen companies said over the weekend that hackers may have learned their email addresses because of a security breach at a Dallas-based company called Epsilon that manages email communications.
Among the affected companies are banks like Capital One Financial Corp., Barclays Bank, U.S. Bancorp and Citigroup Inc., JPMorgan Chase & Co., and retailers like Best Buy Co., TiVo Inc., Walgreen Co. and Kroger Co.
The College Board, the not-for-profit organization that runs the SATs, also warned that a hacker may have obtained student email addresses.
Walt Disney Co.’s travel subsidiary, Disney Destinations, sent emails warning customers on Sunday.
Epsilon said Friday that its system had been breached, exposing email addresses and customer names but no other personal information.
The email addresses could be used to target spam. It’s also a standard tactic among online fraudsters to send emails to random people, purporting to be from a large bank and asking them to login in at a site that looks like the bank’s site. Instead, the fraudulent site captures their login information and uses it to access the real account.
The data breach could make these so-called “phishing” attacks more efficient, by allowing the fraudsters to target people who actually have an account with the bank.
Epsilon sends more than 40 billion emails annually and has more than 2,500 clients.