Three men have been charged, which so far has resulted in more than $2.7m (£1.7m) in losses, according to a statement. The scam is believed to be the largest in US history.
The FBI has arrested Philip Cummings, who is said to have started the scam while working at the helpdesk of Teledata Communications (TCI). The company provides banks and other organisations with credit reports, combining information collected by credit rating agencies Equifax, Experian Information Solutions and Trans Union.
In 1999, Cummings began to access the passwords and codes used by TCI's customers to access credit reports, authorities said. During that time, Cummings is alleged to have given passwords and codes to a co-conspirator and collected around $30 (£19) for every credit report obtained using the stolen codes.
Linus Baptiste has been charged with online fraud in relation to the case and Hakeem Mohammed, has also been arrested and has pleaded guilty to charges of mail fraud.
With the illegally obtained credit reports, some victims reported having their bank accounts depleted, while others reporting having credit cards, checks and ATM cards sent to unauthorised locations.
The passwords and codes stolen for use in the scam belonged to various organisations that request credit reports for their customers. Those organisations included banks, credit services, and an apartment complex.
Ford Motor Credit is expected to be one of the hardest hit, as authorities alleged that as many as 15,000 credit reports were illegally obtained using a password and code from the creditor's branch. Ford Motor Credit said it had been receiving complaints from its customers who had been victims of identity theft and fraud.
Other compromised passwords and codes belonged to Washington Mutual Finance and Washington Mutual Bank, as well as various banks around the country. All the systems that allegedly were breached belonged to TCI customers, according to the statement.
"It was technology-assisted, but the real problem was that this help desk employee was given access to a token that was the launchpad for fraud," said Jerry Brady, chief technology officer of Guardent, a security research company. "There are certainly good practices to control the authority of help desk personnel. It sounds as if they weren't being used."
In 2000, the US Federal Trade Commission reported around 500,000 people were victims of identity theft, according to data provided by Kroll, a security consulting company. In 2001, that number rose to 700,000, Kroll said.