Although Epsilon has not clarified, the indications are that the breach occurred at Epsilon's US operations and not its UK operations. The data accessed mainly belonged to customers of US clients, as reported earlier this week, although Dell Australia has also been affected.
An M&S spokeswoman said that some of M&S's data is held by Epsilon, M&S uses an ecommerce platform provided by US-headquartered company Amazon and some of the data is held on a US server.
M&S, in a notice to its customer, said: "We have been informed by Epsilon, a company we use to send emails to our customers, that some M&S customer email addresses have been accessed without authorisation.
"We would like to reassure you that the only information that may have been accessed is your name and email address. No other personal information, such as your account details, has been accessed or is at risk.
"We wanted to bring this to your attention as it is possible that you may receive spam email messages as a result. We apologise for any inconvenience this may cause you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information."
Tesco is also a client of Epsilon but has not been affected by the breach.
A Tesco spokesman said: "We have had confirmation from Epsilon that none of our data has been affected in any way."
Epsilon issued an updated statement on the breach. It said: "The affected clients form approximately 2% of total clients and are a subset of clients for which Epsilon provides email services."
An investigation is underway at the company.