Network infrastructure company Verisign has admitted it was hacked throughout 2010 and has not got a clue what data has been pinched.
The firm told Reuters it "does not believe" the attacks breached servers that support the Domain Name System (DNS) but it could not rule it out.
Data stolen from Verisign's DNS could allow attackers to intercept unencrypted communications and redirect traffic to malicious web sites. Verisign itself is keeping quiet about the hack and has only told its staff an "ugly, slim sliver of facts".
The breaches were revealed in an October US Securities and Exchange Commission (SEC) filing required to be disclosed to investors under US law and were only uncovered when Reuters went through more than 2000 SEC filings looking for information on data breach risks.
Verisign security staff apparently reacted quickly to the attack but forgot to mention it to their bosses.
Symantec, which bought Verisign's digital certificate arm in early 2010, said there was "no evidence" it was affected by the breach.