E-commerce company eBay said client identity information including emails, addresses and birthdays was stolen in a hacking attack between late February and early March.
EBay urged users to change their passwords after the attack on a database that also contained encrypted passwords, physical addresses and phone numbers.
It said it found no evidence of any unauthorized access to financial or credit card information.
Read MoreWho has the worst password security?
EBay shares fell as much as 3.2 percent after the latest high-profile hacking attack on a U.S. company.
"For the time being, we cannot comment on the specific number of accounts impacted. However, we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords," eBay spokeswoman Kari Ramirez said.
The attack was made through compromised employee accounts that allowed unauthorized access to its corporate network, the company said in a statement. It said the breach was first detected about two weeks ago.
The company said it found no evidence of unauthorized access to personal or financial information for users of its online payment service, PayPal.
"Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers," the company said in a press release.
EBay earlier issued a notice on its PayPal website asking users to change their passwords, but took down the message a short time later without explanation.
The message headline, issued at 1:30 am ET, was "eBay Inc. To Ask All eBay Users To Change Passwords" but had no other information other than the words "place holder text."
In December, retailer Target said hackers had stolen data from up to 40 million credit and debit cards of shoppers who visited its stores during the first three weeks of the holiday season.
Last month, U.S. web media company AOL urged its tens of millions of email account holders to change their passwords and security questions after a cyber attack compromised about 2 percent of its accounts.