The bank reported the breach on June 9, and said that data required to commit fraud was not stolen, The Wall Street Journal reported Saturday.
But the hackers, who stole names, credit card account numbers and e-mail addresses, could have matched the Citigroup data with information stolen elsewhere.
"Data that is critical to commit fraud was not compromised," Citigroup had said, naming Social Security numbers, birthdates and credit card expiration dates as information that was not breached.
Also not compromised were credit card security codes, the bank said.
Citigroup has said that account holders will not be reimbursed for fraudulent charges that appear on their accounts.
In the grand scheme of things, the breach was relatively small. Citigroup has 23.5 million credit card accounts assigned to U.S. residents. About 1.5 percent of those accounts were compromised, the Journal said.