Payroll giant ADP has suffered a security breach in which hackers have stolen tax and salary information, according to a report from Krebs on Security.

The hackers reportedly registered accounts using employees’ names at its customer firms, which ADP claims occurred after those companies inadvertently released sensitive data on ADP accounts. This made it easier for fraudsters to gain access to the information, according to the report.

This leak caught national attention yesterday (May 3) when Krebs’ report came out because of ADP’s widespread reach into the payroll and administrative sectors as the company handles those aspects for more than 640,000 companies. This includes U.S. Bank, which recently discovered that some of its employees had tax data compromised.

And, in an internal letter from Jennie Carlson, U.S. Bank executive vice president of human resources (as cited by Krebs), the issue was confirmed, also noting the ADP link.

“The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2,” the letter read.

ADP confirmed this activity, saying that it hit “a very small subset” of its customers. The company stressed that hackers need more than just tax data to actually open an account in another person’s name and said the data was not extracted from its systems.

ADP has responded to media requests explaining how the data got leaked, which reportedly involved U.S. Bank posting an authentication code on an unsecured webpage.

“Any potential exposure of W-2 information was limited to individuals who have had their personal information compromised previously [unrelated to ADP] based on ADP’s investigation to date,” the company said in a statement to CNBC. “Publishing unique registration codes to an unsecure website is not common practice. ADP actively advises against this practice, notifies clients of the potential risks and has temporarily disabled access to the registration portal for those clients that continue to publish company registration codes in this fashion.”