Second-hand electronics dealership CeX says two million customers may have had their personal information swiped by hackers.
Several Reg readers dropped us a line after receiving an email from the Brit biz that informed them their personal details including first name, surname, address, email address and phone number had been illegally accessed by miscreants.
In some cases passwords were also stolen. The company says these were hashed, but warns – correctly – that weak passwords could still be cracked, so if you have reused one it's time to make some changes.
"We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually reviewed and updated to meet the latest online threats," CeX said in a statement.
"Clearly however, additional measures were required to prevent such a sophisticated breach occurring, and we have therefore employed a cybersecurity specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again."
Some credit and debit card data was also slurped, but CeX says that's not a problem because the store stopped taking that data in 2009, and so all of the cards have likely expired. CeX says it can't share more details while investigations are continuing.
The data loss came as part of an "online security breach" – its in-store terminals weren't affected. That'll be a relief to those using the stores, since credit card-slurping point-of-sale malware is becoming increasingly common, particularly in the US. ®