Names, addresses, phone numbers, e-mail addresses and internal JPMorgan Chase information relating to such users have been compromised, the New York-based bank said in a regulatory filing.
However, it added that it has not seen "any unusual customer fraud" related to this incident till now.
"JPMorgan Chase customers are not liable for unauthorised transactions on their account that they promptly alert the firm to," the bank said.
"There is no evidence that account information for such affected customers account numbers, passwords, user Ids, dates of birth or social security numbers was compromised during this attack," it added.
The breach, which was first disclosed in August, is still under investigation by the bank and law enforcement agencies.
JPMorgan said it is cooperating with law-enforcement officials following reports that hackers, believed to be from Russia, had broken into the bank's computer systems. Reports had suggested that other banks were also targeted in the attack.
"In addition, the firm is fully cooperating with government agencies in connection with their investigations," the filing said.
The Federal Bureau of Investigations had acknowledged the attack and the US Secret Service is "working to determine the scope of recently reported cyber attacks against several American financial institutions."
Incidents of cybercrime, resulting in stealing of massive amounts of consumer data, are on the rise globally.
In September, retail chain Home Depot had said its payment systems were breached in a cyberattack that impacted about 56 million payment cards.
Last year, Adobe Systems said it suffered a cyberattack impacting over 100 million usernames, encrypted passwords and password hints.
Also, Target Corp's cyberattack last holiday season affected 40 million payment cards and 70 million names, addresses, e-mails and phone numbers.