An employee's password has been identified as the source of the largest JP Morgan Chase and Co. data breach, which affected 76 million households and 7 million small businesses, the Washington Post reported.

Personal information and details about which category they belong to under the banks classifications were also taken, according to Bloomberg.

This includes customer names, addresses, phone numbers and email addresses, and whether they are clients of the private bank, mortgage, auto or credit-card divisions, a source told Bloomberg.

Any customer who has visited the Chase website or mobile app is vulnerable.

But account information was not breached, and no fraudulent activity has been detected, Chase said.

"There is no evidence that account information for such affected customers -- account numbers, passwords, user IDs, dates of birth or Social Security numbers -- was compromised during this attack," the company told Bloomberg.

This is the third major data breach in the country in a year -- 145 million customers were affected on EBay Inc. and 110 million in retailer Target.

The breach on JP Morgan began in June, and lasted until mid-August, with the hackers downloading gigabytes of information at a time by exploiting a flaw in the website.

The attack is being investigated by the FBI and other authorities and is believed to have originated in Russia.

Since the takeover of Crimea, and the current tense political situation in Ukraine, the U.S. has increased sanctions against Russia, which led to the possibility of the attack being government-led.

Dmitry Peskov, a spokesman for Russian President Vladmir Putin, dismissed the notion that Russia was behind the attack as "nonsense," Bloombert reported.

The breach of JP Morgan's data is the third this year and it is unlikely that it is the last. Many retailers and large companies are at risk.

MarketWatch reported that JP Morgan is not reaching out to many of those who were affected by the breach. But some have notifications on their accounts of what the company knows about the situation.

The notification sent to accountholders simply states that there is no evidence the account information has been compromised, but contact information has been.