TalkTalk, the broadband and phone company, said that all customers could potentially be affected but it was too early to know what data had been stolen.
Dido Harding, Talk Talk’s chief executive, defended the firm for not revealing the breach and warning customers about the attack until Thursday, despite it taking place on Wednesday morning.
The Metropolitan Police said no-one had been arrested over the attack but enquiries were ongoing.
TalkTalk said in a statement that a criminal investigation had been launched on Thursday.
Names and addresses, dates of birth, email addresses, telelphone numbers and credit card and bank details are among the data that could have been accessed, although it is not known what information was vulnerable to the attackers. Not all of the information was encrypted.
It is the third in a spate of cyber attacks affecting TalkTalk customers in the last eight months.
In August the company revealed its mobile sales site was hit by a “sophisticated and co-ordinated cyber attack” in which personal data was breached by criminals.
And in February TalkTalk customers were warned about scammers who managed to steal thousands of account numbers and names from the company’s computers.
Ms Harding told ITV’s Good Morning Britain the three attacks were “completely unrelated”, adding: “We moved as fast as we possibly can, on Wednesday lunchtime all we knew was that our website was running slowly and that we had the indications of a hacker trying to attack us.
“I can’t even tell you today exactly how many customers have been affected. We have tried to come public as fast as we can once we have got a reasonable idea of what potential data has been lost.
“I really appreciate the frustration and the worry and the concern that this causes customers – I am a customer myself – and I am very sorry for that. We are rushing to try and get that information to our customers as fast as we possibly can.”