Vision Direct has admitted customers' personal and financial data was leaked earlier this month after hackers compromised the company's website.
The breach took place between 00:11 GMT on 3 November and 12:52 GMT on 8 November, said Vision Direct, which purports to be Europe's largest etailer of contact lenses and eye care products and services.
Customers who logged in during those times to update their accounts, or anyone creating a new account will have been affected and their data exposed, the company confirmed.
Vision Direct stated on its website:
The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.
'World's favorite airline' favorite among hackers: British Airways site, app hacked for two weeksREAD MORE
Vision Direct said that given the nature of the breach, no data previously stored in its database had been affected by the hack. It claimed the breach had been "resolved" and the website was again running normally.
"We are working with the authorities to investigate how this heft occurred," it said.
Customers with concerns can call the customer services team on 020 7768 5000 from the UK and 1 800 870 0741 from the US.
El Reg is already aware of one report of a Vision Direct customer who claimed to have received notification from their bank of multiple transactions of just under £250 made to companies that they'd never heard of.
Security researcher Scott Helme told us the latest attack appeared to be similar to events at British Airways and Ticketmaster in which the crooks exploited "third party dependencies or weakness in the application itself".
He suggested it could be the type of breach where "the attackers install a card skimmer on the website and skim data as users type it rather than steal a heap of information from a database".
Helms encouraged security folk to follow some advice given by NCSC following attacks earlier in the year when UK government websites were struck with cryptojacking attacks, where the miscreants mined Monero rather than pilfering credit card info. ®