Gartner analyst Avivah Litan said industry sources revealed that numbers from more than 10 million credit card accounts were stolen in the breach, with the entry point being a New York City taxi and parking garage company.
The thieves stockpiled stolen credit card numbers for months before beginning to use them, according to the analyst.
A Central American crime gang could have been behind the theft, Litan said.
"It sounds like they went into an administrative privilege account at the taxi company and stole electronic data from a central server," Litan said.
"So, if you've paid a NYC cab in the last few months with your credit or debit card, be sure to check your card statements for possible fraud."
Visa and MasterCard both said they were investigating the breach, which they stressed involved a "third party" and not their internal networks.
Visa and MasterCard were alerting banks and credit unions across the United States to what some in the financial sector were calling a "massive" breach, computer security specialist Brian Krebs said in his Krebson Security blog.
Alerts sent to banks warned that sufficient account details were stolen to make counterfeit credit cards, according to Krebs.
People should alert card issuers to suspicious account activity, according to Visa and MasterCard.
The breach is the first major instance this year of consumer information put at risk by technological flaws or hacking, but there are plenty of examples of massive data breaches in recent years affecting banks, retailers, technology companies and payment processors.
Last June, Citigroup said computer hackers breached the bank's network and accessed data of about 200,000 cardholders in North America. Sony Corp. also reported several recent attacks, including one last year in which hackers accessed the personal information on 77 million PlayStation Network and accounts.
Google Inc. suffered a major attack on its Gmail accounts in 2011 that it said appeared to originate in China, and companies including TJX Companies Inc. and Heartland Payment Systems Inc. have also had their systems compromised.
"The fact that there has been another breach at a credit card processor shouldn't come as a great surprise," said Geoff Webb of the data protection company Credant Technologies. "Credit card thieves are constantly looking for opportunities to identify and attack sites where there is a weakness in security."