Second-hand gadget and video games retailer Cex has said up to two million clients have had their data stolen in an online breach.
The company said the stolen data included customers’ names, address, email addresses, phone numbers and some old charge card information.
It has urged customers to change their password, especially if they reused their Cex password on other websites.
The company said it was working with the police following the breach.
Cex has more than 300 storages in the UK where people can trading in gadgets and video games, and operates the webuy.com online marketplace.
It mentioned an “unauthorised third party” had accessed online account holder data, but stressed that in-store data has not been able to been affected.
Affected customers ought to have sent an email provide counseling.
The company said some encrypted credit card knowledge had been compromised, but since the retailer stopped storing charge card information in 2009, those details were likely to have expired, making them useless to criminals.
“It’s surprising that Cex still stored customer card details prior to 2009, ” said Javvad Malik from security firm AlienVault.
“One would struggle to think of a legitimate business reason for storing expired card details, ” he said.
In a statement, Cex said it had applied a cyber-security expert to evaluation its systems, to prevent a “sophisticated breach” from happening again.