Hackers have breached some 670,000 Pokémon gamer accounts on popular fan site Pokebip.
The breach hit the French site on 28 July and includes compromised usernames, email and IP addresses, website activity, and weak MD5 passwords which can be broken in seconds.
The site warns that other connected social media accounts including Skype and Facebook could be compromised.
It urged users to change all passwords reused on other sites.
"You must avoid re-using the same password on multiple sites and keep passwords confined to a single site," site admins wrote.
"This week Pokébip was attacked but tomorrow it could be another site that you frequent.
"We are very sorry for the consequences of this attack."
Last month Pokémon fans were hit again when gaming site Pokemon Creed was hacked with some 116,000 usernames, email and IP addresses, and cleartext passwords, Australian security researcher Troy Hunt wrote on the site haveibeenpwned.com.
That attack followed a skirmish with rival site cartoon fan site Pokémon Dusk. ®