A major cyberattack at consultancy giant Deloitte reportedly went undiscovered for months, with investigators now deep into a probe to uncover exactly what was stolen.
The intrusion, which was seemingly gained through an administrator's weakly-protected account, has potentially exposed vast amounts of sensitive data from clients, who include some of the world's largest financial institutions, companies and government agencies.
According to The Guardian, which first reported news of the incident, at least six Deloitte clients have been informed that their data was compromised.
The culprit remains a mystery, but the New York-headquartered firm is now probing the possibilities, be it rogue insider, nation-state group or lone hacker.
The identities of the victims are yet to be disclosed.
The global professional services giant – which made $37bn (£27.3bn) revenue in 2016 – is now conducting a full internal review, dubbed "Windham."
The Guardian reported that Deloitte uncovered a breach of its "global email server" in March this year, but experts believe hackers may have been inside as far back as October 2016.
The staffer's compromised account had only one password and did not use two factor authentication, the newspaper reported, adding that usernames, passwords, email attachments and internal infrastructure data of its clients were all vulnerable to hijacking.
That fact would dampen claims that the hack was "sophisticated", as some reports suggest.
In terms of scope, a Deloitte spokesperson said stolen material was "a fraction" of the total five million emails stored in the targeted Microsoft Azure cloud server.
The spokesperson added: "In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review, including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte.
"As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators."
The firm did not elaborate on what government departments or law enforcement agencies it had contacted, but asserted that "no disruption" was caused to clients' businesses.
In reality, it is likely too early to tell what damage has been done by the months-long attack.
The statement added: "We remain deeply committed to ensuring that our cybersecurity defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter."
According to Reuters, Deloitte is expected to release a statement on the matter "soon".
The news comes after a massive cyberattack was disclosed from US credit-monitoring company Equifax, which exposed millions of records, including 400,000 from British customers.