Unicredit said that personal data and account numbers could have been stolen.
But it added that the accounts' passwords had not been compromised, so the hackers could not have carried out unauthorised transactions.
It represents the biggest cyber-incident of its kind reported by an Italian bank to date.
Unicredit has blamed an unnamed "third-party provider" for the incidents.
It said the first was thought to have occurred between September and October 2016, and the second happened some time over this month and June.
"UniCredit has launched an audit and has informed all the relevant authorities," it said in a statement.
It has also tweeted a telephone number for international customers to find out whether they might have been affected.
UniCredit shares fell about 1% following its disclosure of the hack.
Other Italian banks, including Intesa Sanpaolo, Banco BPM and UBI, have said they have seen no evidence of coming under attack themselves.
Next year, the EU plans to introduce rules that will mean banks could be fined up to 4% of their annual turnover if they suffer a data breach and do not report it within hours of the discovery.
The General Data Protection Regulation comes into force in May.