When it comes to defending a large company against an online attack, sometimes luck and timing can mean as much as spending hundreds of millions of dollars a year on computer security.

The broad attack this summer on JPMorgan Chase’s computer systems — which compromised some of the personal information of 76 million households and 7 million small businesses — took the bank’s security team roughly two months to detect before it was stopped.

But the intrusion at the nation’s largest bank could have gone on longer if not for a critical discovery by a small Milwaukee security consulting firm that helped JPMorgan uncover the full extent of its breach.

That firm, Hold Security, uncovered a repository of a billion stolen passwords and usernames that it said had been pilfered by a loose-knit gang of Russian hackers. The hackers, according to the consulting firm, had infiltrated more than 420,000 websites.

Hold Security’s discovery was first reported by The New York Times on Aug. 5, but in the days leading up to that report, some U.S. companies, including JPMorgan, received a preview of its findings, said people briefed on the matter.

In late July, as Hold Security began sharing the stolen password trove with some of its clients, some of the security specialists at JPMorgan began to suspect that hackers were inside the bank’s systems because of some unusual activity there, said other people who spoke on the condition of anonymity.

The hope was that the Hold Security data might provide some clues about a possible breach at the bank. It did, but in a roundabout way.

The data pointed to a big problem at the website for the JPMorgan Chase Corporate Challenge, these people said.

It contained some of the password combinations and email addresses used by race participants who had registered on the Corporate Challenge website, which is the online platform for a series of annual charitable races that JPMorgan sponsors in major cities and that is run by an outside vendor. The races are open to bank employees and employees of other corporations.