About 100 million people in the United States and 6 million more in Canada are affected, the company said, with around 140,000 social security numbers, 1 million Canadian social security numbers and 80,000 bank account numbers compromised.
Here's what you should do.
First, "get ready to spend some time and energy" to make sure everything is in order, said Erica Sandberg, a consumer finance expert based in San Francisco.
The bank says it will notify anyone affected by the breach and offer them free credit monitoring and identity protection services.
Take advantage of these services.
Check your accounts now
View your credit card and bank statements and report suspicious activity to the bank as soon as possible.
"If you find suspicious activity on your credit card, banks like Capital One can allow you to freeze your card, so purchases can no longer be made," said Sara Rathner, a credit card expert on the personal finance NerdWallet website.
"You can do this easily in the Capital One app or online."
Some experts suggest being extra careful to avoid potential future hacks.
"Change your passwords on all accounts," Sandberg said. "Yes, again."
"This can be done for free online through each of the three major credit bureaus: Experian, Equifax [and] TransUnion," Rathner said.
Just be aware that it can also lead to disadvantages.
"You can release it for your own applications, but it will be a short delay. If you buy a home, a vehicle or apply for a loan or credit card, give yourself time to work on this," Sandberg said.
"A lender or company will not be able to access your credit file until you freeze it."
Cybersecurity attacks happen all the time, but there are some best practices that can help protect your information in the future.
The key is to be alert, say experts.  One way to do that is to sign up for a credit monitoring service if you are not offered one by the bank and are still worried.
You can also check your credit reports yourself to make sure fraudulent accounts are not opened in your name – and flag any reported balances that are not matches your statements, Rathner said. Do this at least once every quarter.
Watch out for scams
"Don does not respond to phone calls or email from creditors," Sandberg warns. "Call them using the phone number found on the legitimate site."
Also, make sure you only visit secure websites when you browse the web. "Recognized sites begin with https: //." S "is the key," says Norton of Symantec. "This is especially important when entering credit cards or other personal information."
Finally: Remember this can happen to anyone, where anytime.  "There are countless hacks happening all the time. We just don't hear about them because they are smaller, and lenders and security teams tend to catch them before damage is done," Sandberg said.
"I am a cardholder of Capital One and want to do all this."