The firm said customers' names, dates of birth, addresses and phone numbers may also have been accessed.
The Metropolitan Police's Cyber Crime Unit has launched an investigation and "leading" specialists are on the case.
The attack happened on Wednesday morning and TalkTalk say they had their website shut down by lunchtime.
It is still currently down, with people being asked to call up to service their account.
The company's four million customers are being urged to check their accounts for any suspicious activity "over the next few months" and change their passwords.
"If you see anything unusual, please contact your bank and Action Fraud as soon as possible," the company told customers.
TalkTalk boss Dido Harding told Sky News the company was taking the attack "extremely seriously", and stressed it was not certain what information had been stolen.
She said: "I'm sorry to be so vague, but at this stage we're not certain what information has been stolen.
"We're taking the precaution of contacting all of our customers because there is the potential that bank details and credit card details have been stolen, but at this stage I can't be certain that's the case."
Ms Harding added: "I should say firstly I'm a customer myself, I'm a victim myself.
"I'm extremely sorry for all of the frustration and the concern and worry this will be causing."
Ms Harding also told Sky News all customers will be offered a year's free credit monitoring in the wake of the attack.