“Your account and any other personally identifiable information were not at risk,” the clothing retailer New York & Company told its customers in an e-mail. “Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We also want to remind you that we will never ask you for your personal information in an e-mail.”

Ron Baldwin, a technology consultant in Laguna Niguel, Calif., said that over the weekend he received an e-mail alerting him to the security breach from U.S. Bank, where he is a customer. He said he was particularly upset that the bank, a unit of U.S. Bancorp, would entrust his information to another company.

“They shared my information with a third party unbeknownst to me,” Mr. Baldwin said. “I don’t know Epsilon from some guy walking down the street.” Mr. Baldwin said that when he contacted the bank, he was told that he had given permission to share information with suppliers.

Jessica Simon, a spokeswoman for Epsilon, which is based in Irving, Tex., said in an interview: “We are currently working with authorities and are conducting a full investigation. We are limited in what we can share.”

Epsilon is a unit of Alliance Data and has some 2,500 clients, though not all of them use its e-mail marketing services. The company said that about 2 percent of its clients were affected. It declined to say how the hack had occurred or why the e-mail addresses had not been encrypted.

“Epsilon has some explaining to do about the numbers, how it was penetrated and what they have done to protect the information they have,” said Mr. Kleeman, the security expert.

Mary Landesman, a senior security researcher at Cisco Systems, said that because e-mail addresses were not considered of great value in the criminal underground, she suspected the attack on Epsilon began as something random. Hackers often scan the Internet looking for machines that have a certain vulnerability or misconfiguration and then, once they hit upon something, look further to see if the victim interests them. Ms. Landesman speculated that the attackers had found themselves on Epsilon’s system, realized what they had and then worked to acquire their customer lists.

The breach points out the significant risks for companies that outsource even seemingly low-risk activities like e-mail marketing, said Avivah Litan, an analyst focused on online fraud at the research firm Gartner. It also highlights the lack of regulation on security when it comes to consumer data that is not directly tied to financial accounts, which are subject to industry standards, Ms. Litan said.