The Guardian reported that the company, one of the big four in the accountancy industry, had been the victim of an attack that had not been noticed for months.
The attacker was said to have gained access to the company's global email server through an admin account.
The company was using Microsoft's Azure Cloud service to host its email system. It has a total of 244,000 employees worldwide.
The news comes close on the heels of a breach reported by US credit information provider Equifax which may have compromised the details of some 143 million Americans.
Data from clients across all these sectors was present in the company email system that was hacked.
While an internal review is underway, the report said that six of Deloitte's clients had been told they had been "impacted".
Deloittes’ US offices have everything from Netbios to RDP to Exchange Admin (single factor) etc etc etc. They should get an auditor. pic.twitter.com/C8aoN5YQMn— Kevin Beaumont ? (@GossiTheDog) 25 September 2017
The report said the firm discovered the hack in March but added that it believed the breach may have taken place in October or November last year.
The Guardian said that apart from emails, the attackers had access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information.
The internal review is codenamed Windham. The hack was said to have been at the Deloitte offices in Rosslyn, Virginia, and the investigators are working from that location for the last six months, the report said.
Deloitte told The Guardian in response to queries that only a few of its clients were "impacted" by the hack. A total of five million emails were in the cloud and could have been accessed.
A spokesman was quoted as saying: "In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cyber security and confidentiality experts inside and outside of Deloitte.
"The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers."
iTWire has contacted the local Deloitte branch for comment.
Deloitte EMEA: multi-factor email and thin client, best practice. Deloitte US: pic.twitter.com/eBqiSY1yy0— Kevin Beaumont ? (@GossiTheDog) 26 September 2017