Buy from hacked companies? Check the list

The list of companies affected when hackers got access to millions of emails at a Dallas-based advertising and email management firm continues to grow.

Among the emails accessed in the hacking are those of college-bound students, credit card users and employers looking to hire professionals.

Some companies have begun notifying clients that personal information may have been compromised, and recommending procedures for customers to secure personal information.

Epilson is reported to have more than 2,500 business clients and sends out 40 billion emails a year.

Security experts said Monday they were alarmed that the breach involved targeted information -- tying individuals to businesses they patronize -- and could make customers more likely to reveal passwords, Social Security numbers and other sensitive data.

David Jevans, chairman and founder of the nonprofit Anti-Phishing Working Group, said criminals have been moving away from indiscriminate email scams, known as "phishing," toward more intelligent attacks known as "spear phishing," which rely on more intimate knowledge of victims.

"This data breach is going to facilitate that in a big way," said Jevans, also CEO of security company IronKey Inc. "Now they know which institution people bank with, they know their name and they have their email address."

The security breach occurred late last week and allowed for unauthorized access to the email distribution lists of a host of companies, including 1-800-Flowers, the College Board, Verizon, JP Crew, JPMorgan Chase, Citigroup, Robert Half International, Walgreens and TiVo. Epsilon said in a statement on Monday that about 2 percent of company's clients were affected.

"The information that was obtained was limited to email addresses and/or customer names only," Epsilon said in a statement. "A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently under way."

At least one state, Connecticut, is investigating. The Connecticut attorney general sent the company a letter asking about the breach.

Here is a list provided by The Associated Press of companies that have been among those victimized by the hacking:

Amazon.com Inc.'s AbeBooks subsidiary

Ameriprise Financial Inc., asset management and financial planning company.

Barclays Bank. Company says breach affects U.S. customers of Barclaycard.

Best Buy Co.

Capital One Financial Corp.

Citigroup Inc. Company says information limited to customers of Citi's North American credit card businesses.

The College Board, not-for-profit organization that runs the SATs.

Ethan Allen Interiors Inc., home furnishings retailer.

Hilton Worldwide, hotel chain whose brands include Hilton, Doubletree, Hampton Inn and Waldolf Astoria.

HSN Inc., a retailer with roots in the Home Shopping Network.

JPMorgan Chase & Co.

Kroger Co., grocery chain

Marriott International Inc., hotel chain whose brands include Marriott, Renaissance, Fairfield Inn and Ritz-Carlton

McKinsey & Co., a management consulting firm. Company says breach affected only subscribers of McKinsey Quarterly magazine

New York & Co., apparel chain

1-800-Flowers.com Inc.

Target Corp.

TiVo Inc., digital video recorder service

U.S. Bancorp, financial company whose brands include U.S. Bank.

Walgreen Co., drugstore chain

Walt Disney Co.'s travel subsidiary, Disney Destinations.