photoIt could be the largest security breach in U.S. history. A virtual who’s who of U.S. companies have begun notifying consumers that their names and email addresses, held in a vast database, may be been illegally accessed.

What the companies, including Citigroup, Capital One,Kroger and Tivo, all have in common is doing business with Epislon, a provider of email marketing services.

“On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system,” the company said in a statement. “The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.”

Limited threat?

Affected companies began notifying their customers over the weekend that hackers may have accessed their email addresses, though there appears to be no way the hackers can actually access the accounts themselves.

“Capital One has been informed that the compromised files did not include any personally identifiable or customer financial information,” the credit card company said in a statement Sunday. “Capital One is actively investigating the incident and Epsilon is conducting its own comprehensive investigation in cooperation with the appropriate authorities.”

While consumers often receive spam emails sent at random, security experts say the ability of scammers to put names with email addresses may make these phishing expeditions more effective.

Ignore emails

“Customers are reminded to ignore emails asking for confidential account or log-in information and remember that familiar looking links in an email can redirect to a fraudulent site,” Capital One said. “If you get an e-mail that claims to be from us but you aren't sure, or you think it's suspicious, don't click any of the links.”

In warning its customers, Tivo sought to reassure them that the information, is actually obtained by unauthorized personnel, would not compromise sensitive data.

We were advised by Epsilon that the information that was obtained was limited to first name and/or email addresses only,” Tivo said. “Epsilon does not have access to service information or credit card details and all such personally identifiable information remains secure.”

Epsilon, a unit of Alliance Data Systems, sends out an estimated 40 billion email ads each year. Law enforcement authorities are said to be investigating how the breach occurred, and just how many names and email addresses might have been accessed.