CheckFree and an unspecified number of its banking clients have alerted five million customers to a security breach on its electronic bill payment site in December in which criminals redirected user traffic to a bogus malware site.
A gang of Ukrainian hackers seized control of the CheckFree bill payment domain for a period of five hours in Early December and redirected users to a Web address that tried to install malware on visitor desktops.
At the time, CheckFree declined to say how many of its customers - and banks who rely on the company's bill payment interface - were caught out by the attack.
But in a notice filed with the New Hampshire Attorney General's office, CheckFree parent Fiserv indicates that around 160,000 of its customers were exposed to the breach.
However, because it was not possible to identify the precise identities of those users redirected at log-in, the company has extended the notification programme to more than five million consumers, including clients of banks that outsource their bill payments to CheckFree.
The notification describes the specific conditions under which the consumer would have been exposed and directs potentially affected consumers to a CheckFree call centre for more information. Remedial actions include the provision of McAfee software that will detect and remove the malware, and two years of free credit monitoring.