It took J.P. Morgan Chase & Co. two months to discover that Russian hackers had breached sensitive information for 76 million households and 7 million small businesses, according to Reuters.

The hackers used offshore servers to invade the bank’s networks as well as the JPMorgan Corporate Challenge website, unlocking a billion stolen passowrds and usernames from 420,000 websites. Milwaukee-based security firm Hold Security eventually detected the hackers. The Corporate Challenge is a promotional foot race.

Hold and JPMorgan first discovered that the hackers had gotten the website certificate for Simmco Data Systems, the site vendor of the Corporate Challenge, which gave hackers access to communications between the website and those who visited it — communications that included sensitive information such as passwords and emails.

Clients first learned of the breach back in August when Hold Security notified them. After examining their own network, JPMorgan realized its own data had been breached by the same hackers.

The initial breach came through the computer of an employee who had special privileges. Hackers used that breach to widen it to the rest of the network to grab contact information.

After JPMorgan learned about the hacking, it took down the Corporate Challenge site, and later restored it for upcoming events in Asia.

Of most concern was the fact that hackers spent two months inside the bank’s network without being detected by either the bank or law enforcement. It was only a slip-up that allowed the security vendor to detect them in August.

Hackers covered their footprints by deleting most of the log files that tracked their movements, making investigation into the breach difficult for authorities. The IP addresses could be linked to Eastern Europe and Russia, with several others pointing to Egypt and Brazil.