The data breach could make these so-called phishing attacks more efficient, by allowing the fraudsters to target people who actually have an account with the bank.
David Jevans, chairman and founder of the nonprofit Anti-Phishing Working Group, said criminals had been moving away from indiscriminate phishing toward more intelligent attacks known as "spear phishing," which rely on having more intimate knowledge of the victims.
"This data breach is going to facilitate that in a big way. Now they know which institution people bank with, they know their name and they have their e-mail address," Jevans said.
"You're not going to see typical phishing where 90 percent of it ends up in spam traps and is easily detected," he said. "This is going to be highly targeted."
The affected include financial-service companies such as Capital One Financial Corp., Barclays Bank, and U.S. Bancorp, and retailers such as TiVo Inc., Walgreen Co., and Kroger Co.
The College Board, the not-for-profit organization that runs the SATs, also warned that a hacker may have obtained student e-mail addresses.
Walt Disney Co.'s travel subsidiary, Disney Destinations, sent e-mail warning customers Sunday. The hotel chain Marriott International Inc. issued a similar warning.
Epsilon said Friday that its system had been breached, exposing e-mail addresses and customer names but no other personal information.
Epsilon, a unit of Alliance Data Systems Corp., sends more than 40 billion e-mail messages annually and has more than 2,500 client companies.
The scale of the data breach meant that many people have received warnings from multiple companies since Friday.
Jill Kocher in Crystal Lake, Ill., said she got at least five e-mailed warnings from financial institutions and other companies.
Because she works for Groupon, an Internet coupon company, she feels savvy enough to avoid any phishing come-ons, but she's concerned for those who aren't.