The Royal Yachting Association (RYA) has told members that "an unauthorised party" may have pilfered a database containing personal information from 2015.
A statement issued by the boating organisation, which awards sailing qualifications and safety training to the Great British Public, said it had spotted the breach just over a week ago.
"On 17 January 2020 we became aware that an unauthorised party accessed and may have acquired a database created in 2015 containing personal data associated with a number of RYA user accounts," it said.
Stolen information included names, email addresses and "hashed passwords", including a "majority held with the salted hash function." No payment or financial information was said to have gone walkies.
The association statement, seen by The Reg this morning, continued: "Our investigation into this matter is ongoing and we have engaged leading data security firms, including forensic specialists, to assist in our investigation." The Information Commissioner's Office has been informed.
All boaty people with RYA online accounts have had their passwords reset, with account access being disabled until this is done. In an email sent to RYA members and seen by The Register, the association said: "We will provide more information to those users potentially impacted by this possible breach as soon as possible."
The standard post-breach advice is to change one's password, particularly on other sites or services where you've reused the same combination of email address/username and password. This helps prevent miscreants from using the same combination elsewhere to get into your online life.
Breaches of old credentials are a cause for concern. Many people simply keep using the same username and password until forced to change it, despite the best efforts of the infosec industry to convince them not to do that. It isn't plain sailing out on the cyber high seas. ®