The numbers are shocking: Personal information from 76 million households may have been compromised as part of the cyberattack on JPMorgan Chase. That is the equivalent of two out of every three households in the United States, though a small portion of those affected may be overseas.

The intrusion compromised the names, addresses, phone numbers and emails of those households, and can basically affect anyone — customers past and present — who logged onto any of Chase and JPMorgan’s websites or apps. That might include those who get access to their checking and other bank accounts online or someone who checks their credit card points over the web. Seven million small businesses also were affected.

While nobody knows what the hackers are planning to do with the data from JPMorgan — if anything at all — privacy experts say the biggest risk is that the thieves will try to extract more sensitive information from affected consumers.

“It would give the thief a call log of who to victimize, but that in and of itself is not enough to steal someone’s identity,” said Matt Davis, a senior victims adviser at the Identity Theft Resource Center. “That is the silver lining there.”

There is no evidence that account numbers, passwords, user IDs, dates of birth or Social Security numbers were compromised, according to the bank, nor did the bank suggest that customers change their passwords.

“I think it is always good practice to regularly watch your accounts,” said Trish Wexler, a JPMorgan spokeswoman. “That is just good financial hygiene.”

It is possible that the thieves could sell the JPMorgan data to others, who could then combine it with publicly available information, found through census data or social media, said Pam Dixon, executive director at the World Privacy Forum, a public interest research group. They could then create sophisticated — and very convincing — emails that targeted individual consumers, a practice known as spear phishing.

“I would be very conscious of the email you get in the next year, which could be related to this hack,” Dixon said. “They are really hard to detect. It’s not like, ‘Send me money in the Philippines.’”