The server in question did not have multi-factor authentication, an industry standard, enabled, it has also been claimed.
There has been criticism of Deloitte in the wake of the disclosure, with the head of a cyber security firm expressing the opinion that while the company may know a great deal about security, it appeared to have done little to make sure that the vast amount of data it has is safe.
A spokesman was quoted as saying: "In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cyber security and confidentiality experts inside and outside of Deloitte.
"The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers."
Tuesday's report said that contrary to these claims, the company had now begun a review of an email cache and attachments from numerous entities, all of which may have been exfiltrated.
The Guardian said that material from many Deloitte clients had been vulnerable, including the US state, energy, homeland security and defence departments; the US Postal Service; the National Institutes of Health; and housing agencies Fannie Mae and Freddie Mac.
"Football’s world governing body, Fifa, had emails in the server that was breached, along with four global banks, three airlines, two multinational car manufacturers, energy giants and big pharmaceutical companies," The Guardian report claimed.
It was not only email that was exposed, with the report saying that the hackers could have accessed usernames, passwords, IP addresses, architectural diagrams for businesses and health information.