The New York Times says the thievery was uncovered by Hold Security, a Milwaukee firm that has a history of sifting out online security breaches.
Hold Security didn't immediately respond to inquiries from The Associated Press.
The identities of the websites that were broken into weren't identified by the Times. The newspaper says nondisclosure agreements required Hold Security to keep some information confidential.
The reported break-in is the latest incident to raise doubts about the security measures that both big and small companies are using to protect people's information online.
Security experts believe crooks will continue breaking into computer servers unless companies become more vigilant.