Not everyone took advantage of the cover. Bloomberg, for example, has repeatedly denied that its systems were also breached by Chinese hackers, despite several sources that confirmed that its computers were infected with malware.
Computer security experts estimate that more than a thousand companies have been attacked recently. In 2011, security researchers at McAfee unearthed a vast online espionage campaign, called Operation Shady Rat, that found more than 70 organizations had been hit over a five-year period, many in the United States.
"I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact," Dmitri Alperovitch, then McAfee's vice president for threat research, wrote in his findings.
"In fact," said Mr. Alperovitch, now the chief technology officer at Crowdstrike, a security start-up, "I divide the entire set of Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don't yet know."
Of that group, there are still few admissions. A majority of companies that have at one time or another been the subject of news reports of online attacks refuse to confirm them. The list includes the International Olympic Committee, Exxon Mobil, Baker Hughes, Royal Dutch Shell, BP, ConocoPhillips,Chesapeake Energy, the British energy giant BG Group, the steel maker ArcelorMittal and Coca-Cola.
(Read More: New China Hack Attack an 'Act of War': Blodget)
Like Google, some companies have stepped forward in the interest of increasing awareness and improving security within their respective industries, often to little avail. In 2009, Heartland Payment Systems, a major payment processing company, took the unusual step of disclosing a major data breach on its systems that potentially exposed millions of credit and debit card customers to fraud. It did so against the advice of its lawyers.
"Until then, most people tried to sweep breaches under the rug," said Steve Elefant, then Heartland's chief information officer. "We wanted to make sure that it didn't happen to us again and didn't want to sit back while the bad guys tried to pick us off one by one."
Heartland helped set up the Payments Processors Information Sharing Council to share information about security threats and breaches within the industry. Again, the company's lawyers thought it was a bad idea, "but we felt it was important."
The effort did not stop its other members from sweeping their own breaches under the rug. Last year, Global Payments, a major payment processor, did not disclose that it had been the victim of two major breaches that potentially affected millions of accounts, until the attacks were reported by a well-known security blogger. Even then, it did not offer details that other companies could use to fortify their systems. Last week, President Obama signed an executive order that encouraged increased information-sharing about online threats between the government and private companies. But compliance with the order is voluntary, a weakened alternative to an online security bill that stalled in Congress last year after the Chamber of Commerce, a lobbying group that itself was hacked, led an effort to block it, saying that the regulations would be too burdensome.
In Washington on Wednesday, several senior administration officials presented a new strategy for protecting American intellectual property by urging firms to step forward when attacked.
(Read More: Chinese Hacking Defense 'Hard to Believe': Security Expert)
"There has been a reluctance by companies to come forward because of the concern about the impact on their shareholders or others," said Lanny A. Breuer, the assistant attorney general in charge of the criminal division of the Justice Department.
In October 2011, the Securities and Exchange Commission issued a new guidance that specifically outlined how publicly traded companies should disclose online attacks, but few disclosures have come because of it.
"Quite frankly, since then, there hasn't been an abundance of reporting on cyberevents despite the fact that they are clearly happening," said Jacob Olcott, a specialist in online risks who managed a Senate investigation into the disclosure practices.
The best hope, Mr. Olcott said, is that as investors start paying more attention to the threats, they will demand that companies disclose them. "I wouldn't hold my breath," Mr. Elefant said. "There are an awful lot of lawyers out there trying to keep companies from exposing that these breaches are happening. And they are happening."
—David E. Sanger contributed reporting from Washington.